GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-20 13:19:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000007b ATA_____ rev.0003 931,51GB Running: gtid7911.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\aftcaaog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000149c50470 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000149c50460 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000149c50370 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000149c50480 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000149c503e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000149c50320 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000149c503b0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000149c50390 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000149c502e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000149c50440 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000149c502d0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000149c50310 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000149c503c0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000149c503f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000149c50230 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0xffffffffd22ee890} .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000149c50490 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000149c503a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000149c502f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000149c50350 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000149c50290 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000149c502b0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000149c503d0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000149c50330 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0xffffffffd22ee590} .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000149c50410 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000149c50240 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000149c501e0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000149c50250 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0xffffffffd22ee090} .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000149c504a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000149c504b0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000149c50300 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000149c50360 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000149c502a0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000149c502c0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000149c50380 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000149c50340 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000149c50450 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000149c50260 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000149c50270 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000149c50400 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000149c501f0 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000149c50210 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000149c50200 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000149c50420 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000149c50430 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000149c50220 .text C:\Windows\system32\csrss.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000149c50280 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\wininit.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\wininit.exe[640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000149c50470 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000149c50460 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000149c50370 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000149c50480 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000149c503e0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000149c50320 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000149c503b0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000149c50390 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000149c502e0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000149c50440 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000149c502d0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000149c50310 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000149c503c0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000149c503f0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000149c50230 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0xffffffffd22ee890} .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000149c50490 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000149c503a0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000149c502f0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000149c50350 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000149c50290 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000149c502b0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000149c503d0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000149c50330 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0xffffffffd22ee590} .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000149c50410 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000149c50240 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000149c501e0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000149c50250 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0xffffffffd22ee090} .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000149c504a0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000149c504b0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000149c50300 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000149c50360 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000149c502a0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000149c502c0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000149c50380 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000149c50340 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000149c50450 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000149c50260 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000149c50270 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000149c50400 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000149c501f0 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000149c50210 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000149c50200 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000149c50420 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000149c50430 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000149c50220 .text C:\Windows\system32\csrss.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000149c50280 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0xffffffff8870e890} .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0xffffffff8870e590} .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0xffffffff8870e090} .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\lsass.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\lsm.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\System32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\svchost.exe[384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\System32\svchost.exe[496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\svchost.exe[496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\svchost.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\svchost.exe[516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\IDT\WDM\STacSV64.exe[476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\svchost.exe[1428] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\WLANExt.exe[1548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\Dwm.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\taskhost.exe[1820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\Explorer.EXE[1828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\Explorer.EXE[1828] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\spoolsv.exe[1836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1160] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 0000000077ac03e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 0000000077ac0400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[1996] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Windows\SysWOW64\srvany.exe[1728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b0faa0 5 bytes JMP 0000000100230600 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b0fb38 5 bytes JMP 0000000100230804 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 0000000100230c0c .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b10018 5 bytes JMP 0000000100230a08 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b11900 5 bytes JMP 0000000100230e10 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 00000001002301f8 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 5 bytes JMP 00000001002303fc .text C:\Windows\KMService.exe[2276] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000760c5181 5 bytes JMP 0000000100241014 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000760c5254 5 bytes JMP 0000000100240804 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000760c53d5 5 bytes JMP 0000000100240a08 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000760c54c2 5 bytes JMP 0000000100240c0c .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000760c55e2 5 bytes JMP 0000000100240e10 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000760c567c 5 bytes JMP 00000001002401f8 .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000760c589f 5 bytes JMP 00000001002403fc .text C:\Windows\KMService.exe[2276] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000760c5a22 5 bytes JMP 0000000100240600 .text C:\Windows\KMService.exe[2276] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759eee09 5 bytes JMP 00000001002501f8 .text C:\Windows\KMService.exe[2276] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000759f3982 5 bytes JMP 00000001002503fc .text C:\Windows\KMService.exe[2276] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759f7603 5 bytes JMP 0000000100250804 .text C:\Windows\KMService.exe[2276] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759f835c 5 bytes JMP 0000000100250600 .text C:\Windows\KMService.exe[2276] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075a0f52b 5 bytes JMP 0000000100250a08 .text C:\Windows\system32\conhost.exe[2288] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\conhost.exe[2288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\conhost.exe[2288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\conhost.exe[2288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\conhost.exe[2288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\conhost.exe[2288] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\conhost.exe[2288] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\conhost.exe[2288] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 00000001003a075c .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001003a03a4 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 00000001003a0b14 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 00000001003a0ecc .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001003a163c .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 00000001003a1284 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001003a19f4 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\Intel\WiFi\bin\CCDashServer.exe[2428] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 00000001002e075c .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001002e03a4 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 00000001002e0b14 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 00000001002e0ecc .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001002e163c .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 00000001002e1284 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001002e19f4 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\Dell\QuickSet\quickset.exe[2464] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files\IDT\WDM\sttray64.exe[2540] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[2540] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\IDT\WDM\sttray64.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\IDT\WDM\sttray64.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\IDT\WDM\sttray64.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\IDT\WDM\sttray64.exe[2540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\IDT\WDM\sttray64.exe[2540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\IDT\WDM\sttray64.exe[2540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\IDT\WDM\sttray64.exe[2540] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010036075c .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001003603a4 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100360b14 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100360ecc .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010036163c .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100361284 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001003619f4 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\DellTPad\Apoint.exe[2648] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010030075c .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001003003a4 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100300b14 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100300ecc .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010030163c .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100301284 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001003019f4 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\DellTPad\ApMsgFwd.exe[2676] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 00000001005d075c .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001005d03a4 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 00000001005d0b14 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 00000001005d0ecc .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001005d163c .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 00000001005d1284 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001005d19f4 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\DellTPad\Apntex.exe[2708] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 00000001001f075c .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001001f03a4 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 00000001001f0b14 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 00000001001f0ecc .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001001f163c .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 00000001001f1284 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001001f19f4 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\conhost.exe[2724] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files\DellTPad\HidFind.exe[2752] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\DellTPad\HidFind.exe[2752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\DellTPad\HidFind.exe[2752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\DellTPad\HidFind.exe[2752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\DellTPad\HidFind.exe[2752] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\DellTPad\HidFind.exe[2752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\DellTPad\HidFind.exe[2752] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\DellTPad\HidFind.exe[2752] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010023075c .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001002303a4 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100230b14 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100230ecc .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010023163c .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100231284 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001002319f4 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\System32\igfxtray.exe[2784] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 00000001004c075c .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001004c03a4 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 00000001004c0b14 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 00000001004c0ecc .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001004c163c .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 00000001004c1284 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001004c19f4 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\System32\hkcmd.exe[2824] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 00000001003e075c .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001003e03a4 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 00000001003e0b14 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 00000001003e0ecc .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001003e163c .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 00000001003e1284 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001003e19f4 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\System32\igfxpers.exe[2860] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\system32\svchost.exe[2612] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\svchost.exe[2612] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010028075c .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001002803a4 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100280b14 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100280ecc .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010028163c .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100281284 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001002819f4 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[3008] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\system32\wbem\unsecapp.exe[3252] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\wbem\unsecapp.exe[3252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\wbem\unsecapp.exe[3252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\wbem\unsecapp.exe[3252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\wbem\unsecapp.exe[3252] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\wbem\unsecapp.exe[3252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\wbem\unsecapp.exe[3252] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\wbem\unsecapp.exe[3252] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 00000001001b075c .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001001b03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 00000001001b0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 00000001001b0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001001b163c .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 00000001001b1284 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001001b19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\wbem\wmiprvse.exe[3336] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\system32\svchost.exe[3664] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\svchost.exe[3664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\svchost.exe[3664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\svchost.exe[3664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\svchost.exe[3664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\svchost.exe[3664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\svchost.exe[3664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\svchost.exe[3664] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010022075c .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001002203a4 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100220b14 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100220ecc .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010022163c .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100221284 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001002219f4 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\SearchIndexer.exe[3732] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010013075c .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001001303a4 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100130b14 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100130ecc .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010013163c .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100131284 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0xffffffff8870e890} .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0xffffffff8870e590} .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0xffffffff8870e090} .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001001319f4 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\svchost.exe[4024] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\system32\svchost.exe[132] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\svchost.exe[132] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\svchost.exe[132] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\svchost.exe[132] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\svchost.exe[132] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\svchost.exe[132] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\svchost.exe[132] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\svchost.exe[132] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b11900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\syswow64\KERNEL32.dll!SetUnhandledExceptionFilter 00000000758d87b1 5 bytes [33, C0, C2, 04, 00] .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000760c5181 5 bytes JMP 00000001000b1014 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000760c5254 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000760c53d5 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000760c54c2 5 bytes JMP 00000001000b0c0c .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000760c55e2 5 bytes JMP 00000001000b0e10 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000760c567c 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000760c589f 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000760c5a22 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759eee09 5 bytes JMP 00000001000c01f8 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000759f3982 5 bytes JMP 00000001000c03fc .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759f7603 5 bytes JMP 00000001000c0804 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759f835c 5 bytes JMP 00000001000c0600 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[3420] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075a0f52b 5 bytes JMP 00000001000c0a08 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4116] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 00000001003a075c .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001003a03a4 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 00000001003a0b14 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 00000001003a0ecc .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001003a163c .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 00000001003a1284 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001003a19f4 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\System32\svchost.exe[5064] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b11900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000760c5181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000760c5254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000760c53d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000760c54c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000760c55e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000760c567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000760c589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000760c5a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759eee09 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000759f3982 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759f7603 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759f835c 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075a0f52b 5 bytes JMP 0000000100160a08 .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000000171465 2 bytes [17, 00] .text C:\Program Files (x86)\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[160] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000001714bb 2 bytes [17, 00] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b11900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000760c5181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000760c5254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000760c53d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000760c54c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000760c55e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000760c567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000760c589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000760c5a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759eee09 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000759f3982 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759f7603 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759f835c 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075a0f52b 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077ac1465 2 bytes [AC, 77] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[4456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000077ac14bb 2 bytes [AC, 77] .text ... * 2 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010009075c .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001000903a4 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100090b14 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100090ecc .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010009163c .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100091284 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001000919f4 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[3636] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010029075c .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001002903a4 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100290b14 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100290ecc .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010029163c .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100291284 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001002919f4 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[4804] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b11900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000760c5181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000760c5254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000760c53d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000760c54c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000760c55e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000760c567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000760c589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000760c5a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759eee09 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000759f3982 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759f7603 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759f835c 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[1568] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075a0f52b 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b0faa0 5 bytes JMP 0000000100080600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b0fb38 5 bytes JMP 0000000100080804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 0000000100080c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b10018 5 bytes JMP 0000000100080a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b11900 5 bytes JMP 0000000100080e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 00000001000801f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 5 bytes JMP 00000001000803fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000760c5181 5 bytes JMP 00000001000f1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000760c5254 5 bytes JMP 00000001000f0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000760c53d5 5 bytes JMP 00000001000f0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000760c54c2 5 bytes JMP 00000001000f0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000760c55e2 5 bytes JMP 00000001000f0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000760c567c 5 bytes JMP 00000001000f01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000760c589f 5 bytes JMP 00000001000f03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000760c5a22 5 bytes JMP 00000001000f0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759eee09 5 bytes JMP 00000001001b01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000759f3982 5 bytes JMP 00000001001b03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759f7603 5 bytes JMP 00000001001b0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759f835c 5 bytes JMP 00000001001b0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4928] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075a0f52b 5 bytes JMP 00000001001b0a08 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 00000001002a075c .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001002a03a4 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 00000001002a0b14 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 00000001002a0ecc .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 00000001002a163c .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 00000001002a1284 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001002a19f4 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\System32\svchost.exe[3528] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b11900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000760c5181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000760c5254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000760c53d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000760c54c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000760c55e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000760c567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000760c589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000760c5a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759eee09 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000759f3982 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759f7603 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759f835c 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[972] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075a0f52b 5 bytes JMP 00000001000b0a08 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010029075c .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001002903a4 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100290b14 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100290ecc .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010029163c .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100291284 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001002919f4 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\system32\wuauclt.exe[1804] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077933ae0 5 bytes JMP 000000010018075c .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077937a90 5 bytes JMP 00000001001803a4 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000779613c0 5 bytes JMP 0000000077ac0470 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077961410 5 bytes JMP 0000000077ac0460 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077961490 5 bytes JMP 0000000100180b14 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000779614f0 5 bytes JMP 0000000100180ecc .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077961570 5 bytes JMP 0000000077ac0370 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000779615c0 5 bytes JMP 0000000077ac0480 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000779615d0 5 bytes JMP 000000010018163c .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077961680 5 bytes JMP 0000000077ac0320 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000779616b0 5 bytes JMP 0000000077ac03b0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000779616d0 5 bytes JMP 0000000077ac0390 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077961710 5 bytes JMP 0000000077ac02e0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077961760 5 bytes JMP 0000000077ac0440 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077961790 5 bytes JMP 0000000077ac02d0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000779617b0 5 bytes JMP 0000000077ac0310 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000779617f0 5 bytes JMP 0000000077ac03c0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077961810 5 bytes JMP 0000000100181284 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077961840 5 bytes JMP 0000000077ac03f0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000779619a0 1 byte JMP 0000000077ac0230 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000779619a2 3 bytes {JMP 0x15e890} .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077961b60 5 bytes JMP 0000000077ac0490 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077961b90 5 bytes JMP 0000000077ac03a0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077961c70 5 bytes JMP 0000000077ac02f0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077961c80 5 bytes JMP 0000000077ac0350 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077961ce0 5 bytes JMP 0000000077ac0290 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077961d70 5 bytes JMP 0000000077ac02b0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077961d90 5 bytes JMP 0000000077ac03d0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077961da0 1 byte JMP 0000000077ac0330 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077961da2 3 bytes {JMP 0x15e590} .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077961e10 5 bytes JMP 0000000077ac0410 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077961e40 5 bytes JMP 0000000077ac0240 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077962100 5 bytes JMP 0000000077ac01e0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000779621c0 1 byte JMP 0000000077ac0250 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000779621c2 3 bytes {JMP 0x15e090} .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000779621f0 5 bytes JMP 0000000077ac04a0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077962200 5 bytes JMP 0000000077ac04b0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077962230 5 bytes JMP 0000000077ac0300 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077962240 5 bytes JMP 0000000077ac0360 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000779622a0 5 bytes JMP 0000000077ac02a0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000779622f0 5 bytes JMP 0000000077ac02c0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077962320 5 bytes JMP 0000000077ac0380 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077962330 5 bytes JMP 0000000077ac0340 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077962620 5 bytes JMP 0000000077ac0450 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077962820 5 bytes JMP 0000000077ac0260 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077962830 5 bytes JMP 0000000077ac0270 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077962840 5 bytes JMP 00000001001819f4 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077962a00 5 bytes JMP 0000000077ac01f0 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077962a10 5 bytes JMP 0000000077ac0210 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077962a80 5 bytes JMP 0000000077ac0200 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077962ae0 5 bytes JMP 0000000077ac0420 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077962af0 5 bytes JMP 0000000077ac0430 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077962b00 5 bytes JMP 0000000077ac0220 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077962be0 5 bytes JMP 0000000077ac0280 .text C:\Windows\notepad.exe[4508] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007728eecd 1 byte [62] .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Windows\notepad.exe[4508] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077b0faa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077b0fb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077b0fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b10018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077b11900 5 bytes JMP 0000000100030e10 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077b2c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077b31217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000759eee09 5 bytes JMP 00000001000a01f8 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000759f3982 5 bytes JMP 00000001000a03fc .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000759f7603 5 bytes JMP 00000001000a0804 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000759f835c 5 bytes JMP 00000001000a0600 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075a0f52b 5 bytes JMP 00000001000a0a08 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000760c5181 5 bytes JMP 0000000100161014 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000760c5254 5 bytes JMP 0000000100160804 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000760c53d5 5 bytes JMP 0000000100160a08 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000760c54c2 5 bytes JMP 0000000100160c0c .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000760c55e2 5 bytes JMP 0000000100160e10 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000760c567c 5 bytes JMP 00000001001601f8 .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000760c589f 5 bytes JMP 00000001001603fc .text C:\Windows\SysWOW64\ctfmon.exe[2768] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000760c5a22 5 bytes JMP 0000000100160600 .text C:\Users\Kuba\Downloads\gtid7911.exe[1320] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758fa30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4716:4304] 000007feffa20168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4716:4352] 000007fefc1f2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4716:3808] 000007fef0dbd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4716:4200] 000007fef4605124 Thread C:\Windows\System32\svchost.exe [3528:4068] 000007feefc79688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 101 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 3542878 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\84a6c8249239 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 101 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 3542878 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition3\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\84a6c8249239 (not active ControlSet) ---- EOF - GMER 2.1 ----