GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-02 17:18:22 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0002SDM1 465,76GB Running: 7vfwr4hm.exe; Driver: C:\Users\BARTOM~1\AppData\Local\Temp\awdiyaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 00000001496b0470 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 00000001496b0460 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 00000001496b0370 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 00000001496b0480 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 00000001496b03e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 00000001496b0320 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 00000001496b03b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 00000001496b0390 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 00000001496b02e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 00000001496b0440 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 00000001496b02d0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 00000001496b0310 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 00000001496b03c0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 00000001496b03f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 00000001496b0230 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0xffffffffd1a3e890} .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 00000001496b0490 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 00000001496b03a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 00000001496b02f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 00000001496b0350 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 00000001496b0290 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 00000001496b02b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 00000001496b03d0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 00000001496b0330 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0xffffffffd1a3e590} .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 00000001496b0410 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 00000001496b0240 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 00000001496b01e0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 00000001496b0250 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0xffffffffd1a3e090} .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 00000001496b04a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 00000001496b04b0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 00000001496b0300 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 00000001496b0360 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 00000001496b02a0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 00000001496b02c0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 00000001496b0380 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 00000001496b0340 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 00000001496b0450 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 00000001496b0260 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 00000001496b0270 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 00000001496b0400 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 00000001496b01f0 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 00000001496b0210 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 00000001496b0200 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 00000001496b0420 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 00000001496b0430 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 00000001496b0220 .text C:\Windows\system32\csrss.exe[424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 00000001496b0280 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\wininit.exe[484] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\wininit.exe[484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 00000001496b0470 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 00000001496b0460 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 00000001496b0370 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 00000001496b0480 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 00000001496b03e0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 00000001496b0320 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 00000001496b03b0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 00000001496b0390 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 00000001496b02e0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 00000001496b0440 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 00000001496b02d0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 00000001496b0310 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 00000001496b03c0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 00000001496b03f0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 00000001496b0230 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0xffffffffd1a3e890} .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 00000001496b0490 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 00000001496b03a0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 00000001496b02f0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 00000001496b0350 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 00000001496b0290 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 00000001496b02b0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 00000001496b03d0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 00000001496b0330 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0xffffffffd1a3e590} .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 00000001496b0410 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 00000001496b0240 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 00000001496b01e0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 00000001496b0250 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0xffffffffd1a3e090} .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 00000001496b04a0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 00000001496b04b0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 00000001496b0300 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 00000001496b0360 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 00000001496b02a0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 00000001496b02c0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 00000001496b0380 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 00000001496b0340 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 00000001496b0450 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 00000001496b0260 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 00000001496b0270 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 00000001496b0400 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 00000001496b01f0 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 00000001496b0210 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 00000001496b0200 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 00000001496b0420 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 00000001496b0430 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 00000001496b0220 .text C:\Windows\system32\csrss.exe[500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 00000001496b0280 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\services.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\services.exe[592] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0xffffffff883fe890} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0xffffffff883fe590} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0xffffffff883fe090} .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\System32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\System32\svchost.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\System32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\System32\svchost.exe[928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\svchost.exe[956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\AUDIODG.EXE[436] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\svchost.exe[1144] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1536] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1536] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075a2cfca 5 bytes JMP 0000000173224720 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\Dwm.exe[1664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\Explorer.EXE[1728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\Explorer.EXE[1728] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[1844] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[1844] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075a2cfca 5 bytes JMP 0000000173224720 .text C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\svchost.exe[1936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[1992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text C:\Windows\SysWOW64\svchost.exe[1992] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075a2cfca 5 bytes JMP 0000000173224720 .text C:\Windows\SysWOW64\svchost.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text C:\Windows\SysWOW64\svchost.exe[1992] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 .text C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[2024] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[2024] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075a2cfca 5 bytes JMP 0000000173224720 .text C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[2024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text C:\ProgramData\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[2024] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\taskhost.exe[1720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2180] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2180] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075a2cfca 5 bytes JMP 0000000173224720 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\taskeng.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2368] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2368] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075a2cfca 5 bytes JMP 0000000173224720 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2432] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\System32\svchost.exe[2500] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\System32\rundll32.exe[2868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1564] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1564] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075a2cfca 5 bytes JMP 0000000173224720 .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe[1564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 .text D:\Program Files\AVAST Software\Avast\AvastUI.exe[3084] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3124] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3124] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075a2cfca 5 bytes JMP 0000000173224720 .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe[3124] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\system32\SearchIndexer.exe[3660] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077c713c0 5 bytes JMP 0000000077dd0470 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077c71410 5 bytes JMP 0000000077dd0460 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077c71570 5 bytes JMP 0000000077dd0370 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077c715c0 5 bytes JMP 0000000077dd0480 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077c715d0 5 bytes JMP 0000000077dd03e0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077c71680 5 bytes JMP 0000000077dd0320 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c716b0 5 bytes JMP 0000000077dd03b0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077c716d0 5 bytes JMP 0000000077dd0390 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c71710 5 bytes JMP 0000000077dd02e0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077c71760 5 bytes JMP 0000000077dd0440 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c71790 5 bytes JMP 0000000077dd02d0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077c717b0 5 bytes JMP 0000000077dd0310 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077c717f0 5 bytes JMP 0000000077dd03c0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077c71840 5 bytes JMP 0000000077dd03f0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077c719a0 1 byte JMP 0000000077dd0230 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077c719a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077c71b60 5 bytes JMP 0000000077dd0490 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077c71b90 5 bytes JMP 0000000077dd03a0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077c71c70 5 bytes JMP 0000000077dd02f0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077c71c80 5 bytes JMP 0000000077dd0350 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c71ce0 5 bytes JMP 0000000077dd0290 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c71d70 5 bytes JMP 0000000077dd02b0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077c71d90 5 bytes JMP 0000000077dd03d0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077c71da0 1 byte JMP 0000000077dd0330 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077c71da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077c71e10 5 bytes JMP 0000000077dd0410 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077c71e40 5 bytes JMP 0000000077dd0240 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077c72100 5 bytes JMP 0000000077dd01e0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077c721c0 1 byte JMP 0000000077dd0250 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077c721c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077c721f0 5 bytes JMP 0000000077dd04a0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077c72200 5 bytes JMP 0000000077dd04b0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077c72230 5 bytes JMP 0000000077dd0300 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077c72240 5 bytes JMP 0000000077dd0360 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c722a0 5 bytes JMP 0000000077dd02a0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c722f0 5 bytes JMP 0000000077dd02c0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077c72320 5 bytes JMP 0000000077dd0380 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077c72330 5 bytes JMP 0000000077dd0340 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077c72620 5 bytes JMP 0000000077dd0450 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077c72820 5 bytes JMP 0000000077dd0260 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077c72830 5 bytes JMP 0000000077dd0270 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077c72840 5 bytes JMP 0000000077dd0400 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077c72a00 5 bytes JMP 0000000077dd01f0 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077c72a10 5 bytes JMP 0000000077dd0210 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077c72a80 5 bytes JMP 0000000077dd0200 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077c72ae0 5 bytes JMP 0000000077dd0420 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077c72af0 5 bytes JMP 0000000077dd0430 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077c72b00 5 bytes JMP 0000000077dd0220 .text C:\Windows\System32\svchost.exe[3396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077c72be0 5 bytes JMP 0000000077dd0280 .text C:\Windows\notepad.exe[3956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000077b5eecd 1 byte [62] .text I:\7vfwr4hm.exe[3044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007792a30a 1 byte [62] .text I:\7vfwr4hm.exe[3044] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000075a2cfca 5 bytes JMP 0000000173224720 .text I:\7vfwr4hm.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075af1465 2 bytes [AF, 75] .text I:\7vfwr4hm.exe[3044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075af14bb 2 bytes [AF, 75] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 14 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 320382 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\d:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\d:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "d:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 14 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 320382 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\d:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\d:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "d:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----