GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-20 20:53:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST500DM002-1BD142 rev.KC45 465,76GB Running: ro22wgq3.exe; Driver: C:\Users\Bar_Raf\AppData\Local\Temp\kwloyfob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0xffffffff88d9e890} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0xffffffff88d9e590} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0xffffffff88d9e090} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000001001204b0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\wininit.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\wininit.exe[700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0xffffffff88d9e890} .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0xffffffff88d9e590} .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0xffffffff88d9e090} .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000001001204b0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\services.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\services.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\lsass.exe[776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\lsm.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\winlogon.exe[844] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\svchost.exe[928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\svchost.exe[156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\atiesrxx.exe[708] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\System32\svchost.exe[944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\System32\svchost.exe[944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\System32\svchost.exe[1044] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\svchost.exe[1072] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\svchost.exe[1096] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\AUDIODG.EXE[1184] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\atieclxx.exe[1344] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\svchost.exe[1372] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\Dwm.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000001000703b0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 0000000100070230 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0xffffffff88cee890} .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 0000000100070490 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 0000000100070330 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0xffffffff88cee590} .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 0000000100070250 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0xffffffff88cee090} .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000001000704a0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000001000704b0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 0000000100070450 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[1684] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\System32\spoolsv.exe[1860] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\svchost.exe[1940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2024] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\PixArt\Pac207\Monitor.exe[2044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Windows\PixArt\Pac207\Monitor.exe[2044] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Windows\PixArt\Pac207\Monitor.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000000241465 2 bytes [24, 00] .text C:\Windows\PixArt\Pac207\Monitor.exe[2044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000002414bb 2 bytes [24, 00] .text ... * 2 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\taskhost.exe[1440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text D:\gg\Gadu-Gadu 10\gg.exe[1676] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text D:\gg\Gadu-Gadu 10\gg.exe[1676] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text D:\gg\Gadu-Gadu 10\gg.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000003bb1465 2 bytes [BB, 03] .text D:\gg\Gadu-Gadu 10\gg.exe[1676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000003bb14bb 2 bytes [BB, 03] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1540] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1540] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000000241465 2 bytes [24, 00] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000002414bb 2 bytes [24, 00] .text ... * 2 .text C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[1644] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[1644] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[1644] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text D:\hamachi-2.exe[1332] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text D:\hamachi-2.exe[1332] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\SysWOW64\schtasks.exe[2112] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Windows\SysWOW64\schtasks.exe[2112] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Windows\SysWOW64\schtasks.exe[2112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Windows\SysWOW64\schtasks.exe[2112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[2136] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[2136] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\ProgramData\BrowserProtect\2.6.1095.52\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[2136] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0xffffffff88cee890} .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0xffffffff88cee590} .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0xffffffff88cee090} .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\taskeng.exe[2348] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[2400] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2484] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2484] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe[2484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0xffffffff88cee890} .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0xffffffff88cee590} .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0xffffffff88cee090} .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\taskeng.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 0000000100070280 .text D:\hamachi-2-ui.exe[2628] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text D:\hamachi-2-ui.exe[2628] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text D:\hamachi-2-ui.exe[2628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000001d1465 2 bytes [1D, 00] .text D:\hamachi-2-ui.exe[2628] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000001d14bb 2 bytes [1D, 00] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2800] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2800] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[2800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2856] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2856] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[2856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[2972] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[2972] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[2972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\System32\svchost.exe[3032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3260] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3260] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3260] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3300] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3300] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe[3300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3660] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3660] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3660] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3680] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3680] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000774e1465 2 bytes [4E, 77] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000774e14bb 2 bytes [4E, 77] .text ... * 2 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000000774e03e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000000774e0400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[3688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000002d1465 2 bytes [2D, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3704] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000002d14bb 2 bytes [2D, 00] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3712] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077353ae0 5 bytes JMP 000000010043075c .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077357a90 5 bytes JMP 00000001004303a4 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077381490 5 bytes JMP 0000000100430b14 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773814f0 5 bytes JMP 0000000100430ecc .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 000000010043163c .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077381810 5 bytes JMP 0000000100431284 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000001004319f4 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdb76e00 5 bytes JMP 000007ff7db91dac .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdb76f2c 5 bytes JMP 000007ff7db90ecc .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdb77220 5 bytes JMP 000007ff7db91284 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdb7739c 5 bytes JMP 000007ff7db9163c .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdb77538 5 bytes JMP 000007ff7db919f4 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdb775e8 5 bytes JMP 000007ff7db903a4 .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdb7790c 5 bytes JMP 000007ff7db9075c .text C:\Windows\system32\SearchIndexer.exe[3748] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdb77ab4 5 bytes JMP 000007ff7db90b14 .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007752faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007752fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007752fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077530018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[3896] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077531900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[3896] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007754c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[3896] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077551217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Google\Update\1.3.21.135\GoogleCrashHandler.exe[3896] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077353ae0 5 bytes JMP 00000001002f075c .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077357a90 5 bytes JMP 00000001002f03a4 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077381490 5 bytes JMP 00000001002f0b14 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773814f0 5 bytes JMP 00000001002f0ecc .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 00000001002f163c .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077381810 5 bytes JMP 00000001002f1284 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0xffffffff88cee890} .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0xffffffff88cee590} .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0xffffffff88cee090} .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000001002f19f4 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdb76e00 5 bytes JMP 000007ff7db91dac .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdb76f2c 5 bytes JMP 000007ff7db90ecc .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdb77220 5 bytes JMP 000007ff7db91284 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdb7739c 5 bytes JMP 000007ff7db9163c .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdb77538 5 bytes JMP 000007ff7db919f4 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdb775e8 5 bytes JMP 000007ff7db903a4 .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdb7790c 5 bytes JMP 000007ff7db9075c .text C:\Windows\system32\svchost.exe[4264] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdb77ab4 5 bytes JMP 000007ff7db90b14 .text C:\Windows\System32\WUDFHost.exe[4632] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdb76e00 5 bytes JMP 000007ff7db91dac .text C:\Windows\System32\WUDFHost.exe[4632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdb76f2c 5 bytes JMP 000007ff7db90ecc .text C:\Windows\System32\WUDFHost.exe[4632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdb77220 5 bytes JMP 000007ff7db91284 .text C:\Windows\System32\WUDFHost.exe[4632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdb7739c 5 bytes JMP 000007ff7db9163c .text C:\Windows\System32\WUDFHost.exe[4632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdb77538 5 bytes JMP 000007ff7db919f4 .text C:\Windows\System32\WUDFHost.exe[4632] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdb775e8 5 bytes JMP 000007ff7db903a4 .text C:\Windows\System32\WUDFHost.exe[4632] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdb7790c 5 bytes JMP 000007ff7db9075c .text C:\Windows\System32\WUDFHost.exe[4632] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdb77ab4 5 bytes JMP 000007ff7db90b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077353ae0 5 bytes JMP 000000010029075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077357a90 5 bytes JMP 00000001002903a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 0000000100070470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 0000000100070460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077381490 5 bytes JMP 0000000100290b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773814f0 5 bytes JMP 0000000100290ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 0000000100070370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 0000000100070480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 000000010029163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 0000000100070320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000001000703b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 0000000100070390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000001000702e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 0000000100070440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000001000702d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 0000000100070310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000001000703c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077381810 5 bytes JMP 0000000100291284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000001000703f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 0000000100070230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0xffffffff88cee890} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 0000000100070490 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000001000703a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000001000702f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 0000000100070350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 0000000100070290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000001000702b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000001000703d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 0000000100070330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0xffffffff88cee590} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 0000000100070410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 0000000100070240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000001000701e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 0000000100070250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0xffffffff88cee090} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000001000704b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 0000000100070300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 0000000100070360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000001000702a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000001000702c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 0000000100070380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 0000000100070340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 0000000100070450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 0000000100070260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 0000000100070270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000001002919f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000001000701f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 0000000100070210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 0000000100070200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 0000000100070420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 0000000100070430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 0000000100070220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 0000000100070280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdb76e00 5 bytes JMP 000007ff7db91dac .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdb76f2c 5 bytes JMP 000007ff7db90ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdb77220 5 bytes JMP 000007ff7db91284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdb7739c 5 bytes JMP 000007ff7db9163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdb77538 5 bytes JMP 000007ff7db919f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdb775e8 5 bytes JMP 000007ff7db903a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdb7790c 5 bytes JMP 000007ff7db9075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4944] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdb77ab4 5 bytes JMP 000007ff7db90b14 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077353ae0 5 bytes JMP 000000010020075c .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077357a90 5 bytes JMP 00000001002003a4 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773813c0 5 bytes JMP 00000000774e0470 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077381410 5 bytes JMP 00000000774e0460 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077381490 5 bytes JMP 0000000100200b14 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773814f0 5 bytes JMP 0000000100200ecc .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077381570 5 bytes JMP 00000000774e0370 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773815c0 5 bytes JMP 00000000774e0480 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773815d0 5 bytes JMP 000000010020163c .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077381680 5 bytes JMP 00000000774e0320 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773816b0 5 bytes JMP 00000000774e03b0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773816d0 5 bytes JMP 00000000774e0390 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077381710 5 bytes JMP 00000000774e02e0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077381760 5 bytes JMP 00000000774e0440 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077381790 5 bytes JMP 00000000774e02d0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773817b0 5 bytes JMP 00000000774e0310 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773817f0 5 bytes JMP 00000000774e03c0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077381810 5 bytes JMP 0000000100201284 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077381840 5 bytes JMP 00000000774e03f0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773819a0 1 byte JMP 00000000774e0230 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773819a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077381b60 5 bytes JMP 00000000774e0490 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077381b90 5 bytes JMP 00000000774e03a0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077381c70 5 bytes JMP 00000000774e02f0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077381c80 5 bytes JMP 00000000774e0350 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077381ce0 5 bytes JMP 00000000774e0290 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077381d70 5 bytes JMP 00000000774e02b0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077381d90 5 bytes JMP 00000000774e03d0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077381da0 1 byte JMP 00000000774e0330 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077381da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077381e10 5 bytes JMP 00000000774e0410 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077381e40 5 bytes JMP 00000000774e0240 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077382100 5 bytes JMP 00000000774e01e0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773821c0 1 byte JMP 00000000774e0250 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773821c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773821f0 5 bytes JMP 00000000774e04a0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077382200 5 bytes JMP 00000000774e04b0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077382230 5 bytes JMP 00000000774e0300 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077382240 5 bytes JMP 00000000774e0360 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773822a0 5 bytes JMP 00000000774e02a0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773822f0 5 bytes JMP 00000000774e02c0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077382320 5 bytes JMP 00000000774e0380 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077382330 5 bytes JMP 00000000774e0340 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077382620 5 bytes JMP 00000000774e0450 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077382820 5 bytes JMP 00000000774e0260 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077382830 5 bytes JMP 00000000774e0270 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077382840 5 bytes JMP 00000001002019f4 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077382a00 5 bytes JMP 00000000774e01f0 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077382a10 5 bytes JMP 00000000774e0210 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077382a80 5 bytes JMP 00000000774e0200 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077382ae0 5 bytes JMP 00000000774e0420 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077382af0 5 bytes JMP 00000000774e0430 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077382b00 5 bytes JMP 00000000774e0220 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077382be0 5 bytes JMP 00000000774e0280 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdb76e00 5 bytes JMP 000007ff7db91dac .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdb76f2c 5 bytes JMP 000007ff7db90ecc .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdb77220 5 bytes JMP 000007ff7db91284 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdb7739c 5 bytes JMP 000007ff7db9163c .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdb77538 5 bytes JMP 000007ff7db919f4 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdb775e8 5 bytes JMP 000007ff7db903a4 .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdb7790c 5 bytes JMP 000007ff7db9075c .text C:\Windows\System32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdb77ab4 5 bytes JMP 000007ff7db90b14 .text C:\Windows\system32\wbem\wmiprvse.exe[5280] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdb76e00 5 bytes JMP 000007ff7db91dac .text C:\Windows\system32\wbem\wmiprvse.exe[5280] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdb76f2c 5 bytes JMP 000007ff7db90ecc .text C:\Windows\system32\wbem\wmiprvse.exe[5280] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdb77220 5 bytes JMP 000007ff7db91284 .text C:\Windows\system32\wbem\wmiprvse.exe[5280] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdb7739c 5 bytes JMP 000007ff7db9163c .text C:\Windows\system32\wbem\wmiprvse.exe[5280] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdb77538 5 bytes JMP 000007ff7db919f4 .text C:\Windows\system32\wbem\wmiprvse.exe[5280] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdb775e8 5 bytes JMP 000007ff7db903a4 .text C:\Windows\system32\wbem\wmiprvse.exe[5280] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdb7790c 5 bytes JMP 000007ff7db9075c .text C:\Windows\system32\wbem\wmiprvse.exe[5280] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdb77ab4 5 bytes JMP 000007ff7db90b14 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007752faa0 5 bytes JMP 0000000100240600 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007752fb38 5 bytes JMP 0000000100240804 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007752fc90 5 bytes JMP 0000000100240c0c .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077530018 5 bytes JMP 0000000100240a08 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077531900 5 bytes JMP 0000000100240e10 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007754c45a 5 bytes JMP 00000001002401f8 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077551217 5 bytes JMP 00000001002403fc .text H:\ro22wgq3.exe[6088] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075bfa30a 1 byte [62] .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076c35181 5 bytes JMP 0000000100251014 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076c35254 5 bytes JMP 0000000100250804 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076c353d5 5 bytes JMP 0000000100250a08 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076c354c2 5 bytes JMP 0000000100250c0c .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076c355e2 5 bytes JMP 0000000100250e10 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076c3567c 5 bytes JMP 00000001002501f8 .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076c3589f 5 bytes JMP 00000001002503fc .text H:\ro22wgq3.exe[6088] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076c35a22 5 bytes JMP 0000000100250600 .text H:\ro22wgq3.exe[6088] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d2ee09 5 bytes JMP 00000001002601f8 .text H:\ro22wgq3.exe[6088] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074d33982 5 bytes JMP 00000001002603fc .text H:\ro22wgq3.exe[6088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074d37603 5 bytes JMP 0000000100260804 .text H:\ro22wgq3.exe[6088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074d3835c 5 bytes JMP 0000000100260600 .text H:\ro22wgq3.exe[6088] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074d4cfca 5 bytes JMP 00000001724a44c0 .text H:\ro22wgq3.exe[6088] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074d4f52b 5 bytes JMP 0000000100260a08 .text H:\ro22wgq3.exe[6088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000002b1465 2 bytes [2B, 00] .text H:\ro22wgq3.exe[6088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000002b14bb 2 bytes [2B, 00] .text ... * 2 ---- Services - GMER 2.1 ---- Service C:\Program Files\AVAST Software\Avast\afwServ.exe (*** hidden *** ) [AUTO] avast! Firewall <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DisplayName avast! TDI Firewall driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Description avast! TDI Firewall driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswFW Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 6 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 23 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 503696 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall@Description Implements main functionality for avast! Firewall Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DisplayName avast! TDI Firewall driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswFW@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Description avast! TDI Firewall driver Reg HKLM\SYSTEM\ControlSet002\services\aswFW@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswFW\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 6 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 23 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 503696 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ImagePath "C:\Program Files\AVAST Software\Avast\afwServ.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@DisplayName avast! Firewall Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Firewall@Description Implements main functionality for avast! Firewall ---- EOF - GMER 2.1 ----