GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-05 16:34:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB Running: 44js98fw.exe; Driver: C:\Users\emil\AppData\Local\Temp\aftcyaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 0000000149bc0460 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 0000000149bc0450 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 0000000149bc0370 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 0000000149bc0470 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 0000000149bc03e0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 0000000149bc0320 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 0000000149bc03b0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 0000000149bc0390 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 0000000149bc02e0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 0000000149bc02d0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 0000000149bc0310 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 0000000149bc03c0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 0000000149bc03f0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 0000000149bc0230 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 0000000149bc0480 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 0000000149bc03a0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 0000000149bc02f0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 0000000149bc0350 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 0000000149bc0290 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 0000000149bc02b0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 0000000149bc03d0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 0000000149bc0330 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 0000000149bc0410 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 0000000149bc0240 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 0000000149bc01e0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 0000000149bc0250 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 0000000149bc0490 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 0000000149bc04a0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 0000000149bc0300 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 0000000149bc0360 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 0000000149bc02a0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 0000000149bc02c0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 0000000149bc0380 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 0000000149bc0340 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 0000000149bc0440 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 0000000149bc0260 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 0000000149bc0270 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 0000000149bc0400 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 0000000149bc01f0 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 0000000149bc0210 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 0000000149bc0200 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 0000000149bc0420 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 0000000149bc0430 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 0000000149bc0220 .text C:\Windows\system32\csrss.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 0000000149bc0280 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\wininit.exe[512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\wininit.exe[512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 0000000149bc0460 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 0000000149bc0450 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 0000000149bc0370 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 0000000149bc0470 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 0000000149bc03e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 0000000149bc0320 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 0000000149bc03b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 0000000149bc0390 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 0000000149bc02e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 0000000149bc02d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 0000000149bc0310 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 0000000149bc03c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 0000000149bc03f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 0000000149bc0230 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 0000000149bc0480 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 0000000149bc03a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 0000000149bc02f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 0000000149bc0350 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 0000000149bc0290 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 0000000149bc02b0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 0000000149bc03d0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 0000000149bc0330 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 0000000149bc0410 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 0000000149bc0240 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 0000000149bc01e0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 0000000149bc0250 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 0000000149bc0490 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 0000000149bc04a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 0000000149bc0300 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 0000000149bc0360 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 0000000149bc02a0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 0000000149bc02c0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 0000000149bc0380 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 0000000149bc0340 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 0000000149bc0440 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 0000000149bc0260 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 0000000149bc0270 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 0000000149bc0400 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 0000000149bc01f0 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 0000000149bc0210 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 0000000149bc0200 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 0000000149bc0420 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 0000000149bc0430 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 0000000149bc0220 .text C:\Windows\system32\csrss.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 0000000149bc0280 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\lsm.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\nvvsvc.exe[800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[848] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[848] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 0000000100070490 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\System32\svchost.exe[956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\System32\svchost.exe[956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[992] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1236] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\nvvsvc.exe[1248] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files (x86)\Acer Bio Protection\CompPtcVUI.exe[1300] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b0a2ba 1 byte [62] .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[1624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\taskhost.exe[1684] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000000775e03e0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000000775e0400 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[1944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453b10 5 bytes JMP 000000010043075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457ac0 5 bytes JMP 00000001004303a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481430 5 bytes JMP 0000000100430b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077481490 5 bytes JMP 0000000100430ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 000000010043163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774817b0 5 bytes JMP 0000000100431284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000001004319f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe676e00 5 bytes JMP 000007ff7e691dac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe676f2c 5 bytes JMP 000007ff7e690ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe677220 5 bytes JMP 000007ff7e691284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe67739c 5 bytes JMP 000007ff7e69163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe677538 5 bytes JMP 000007ff7e6919f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6775e8 5 bytes JMP 000007ff7e6903a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe67790c 5 bytes JMP 000007ff7e69075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2320] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe677ab4 5 bytes JMP 000007ff7e690b14 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453b10 5 bytes JMP 00000001003c075c .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457ac0 5 bytes JMP 00000001003c03a4 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481430 5 bytes JMP 00000001003c0b14 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077481490 5 bytes JMP 00000001003c0ecc .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000001003c163c .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774817b0 5 bytes JMP 00000001003c1284 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000001003c19f4 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe676e00 5 bytes JMP 000007ff7e691dac .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe676f2c 5 bytes JMP 000007ff7e690ecc .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe677220 5 bytes JMP 000007ff7e691284 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe67739c 5 bytes JMP 000007ff7e69163c .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe677538 5 bytes JMP 000007ff7e6919f4 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6775e8 5 bytes JMP 000007ff7e6903a4 .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe67790c 5 bytes JMP 000007ff7e69075c .text C:\Windows\system32\svchost.exe[2932] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe677ab4 5 bytes JMP 000007ff7e690b14 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453b10 5 bytes JMP 000000010019075c .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457ac0 5 bytes JMP 00000001001903a4 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481430 5 bytes JMP 0000000100190b14 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077481490 5 bytes JMP 0000000100190ecc .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 000000010019163c .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774817b0 5 bytes JMP 0000000100191284 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000001001919f4 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe676e00 5 bytes JMP 000007ff7e691dac .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe676f2c 5 bytes JMP 000007ff7e690ecc .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe677220 5 bytes JMP 000007ff7e691284 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe67739c 5 bytes JMP 000007ff7e69163c .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe677538 5 bytes JMP 000007ff7e6919f4 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6775e8 5 bytes JMP 000007ff7e6903a4 .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe67790c 5 bytes JMP 000007ff7e69075c .text C:\Windows\System32\rundll32.exe[3068] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe677ab4 5 bytes JMP 000007ff7e690b14 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453b10 5 bytes JMP 000000010023075c .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457ac0 5 bytes JMP 00000001002303a4 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481430 5 bytes JMP 0000000100230b14 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077481490 5 bytes JMP 0000000100230ecc .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 000000010023163c .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774817b0 5 bytes JMP 0000000100231284 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000001002319f4 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe676e00 5 bytes JMP 000007ff7e691dac .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe676f2c 5 bytes JMP 000007ff7e690ecc .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe677220 5 bytes JMP 000007ff7e691284 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe67739c 5 bytes JMP 000007ff7e69163c .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe677538 5 bytes JMP 000007ff7e6919f4 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6775e8 5 bytes JMP 000007ff7e6903a4 .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe67790c 5 bytes JMP 000007ff7e69075c .text C:\Windows\system32\Dwm.exe[2092] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe677ab4 5 bytes JMP 000007ff7e690b14 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453b10 5 bytes JMP 000000010019075c .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457ac0 5 bytes JMP 00000001001903a4 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481430 5 bytes JMP 0000000100190b14 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077481490 5 bytes JMP 0000000100190ecc .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 000000010019163c .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774817b0 5 bytes JMP 0000000100191284 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000001001919f4 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\Explorer.EXE[2308] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe676e00 5 bytes JMP 000007ff7e691dac .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe676f2c 5 bytes JMP 000007ff7e690ecc .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe677220 5 bytes JMP 000007ff7e691284 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe67739c 5 bytes JMP 000007ff7e69163c .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe677538 5 bytes JMP 000007ff7e6919f4 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6775e8 5 bytes JMP 000007ff7e6903a4 .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe67790c 5 bytes JMP 000007ff7e69075c .text C:\Windows\Explorer.EXE[2308] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe677ab4 5 bytes JMP 000007ff7e690b14 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007762fac0 5 bytes JMP 0000000100230600 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007762fb58 5 bytes JMP 0000000100230804 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007762fcb0 5 bytes JMP 0000000100230c0c .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077630038 5 bytes JMP 0000000100230a08 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077631920 5 bytes JMP 0000000100230e10 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007764c4dd 5 bytes JMP 00000001002301f8 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077651287 5 bytes JMP 00000001002303fc .text C:\Windows\PLFSetI.exe[2488] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b0a2ba 1 byte [62] .text C:\Windows\PLFSetI.exe[2488] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007548ee09 5 bytes JMP 00000001002401f8 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075493982 5 bytes JMP 00000001002403fc .text C:\Windows\PLFSetI.exe[2488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075497603 5 bytes JMP 0000000100240804 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007549835c 5 bytes JMP 0000000100240600 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000754af52b 5 bytes JMP 0000000100240a08 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077115181 5 bytes JMP 0000000100251014 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077115254 5 bytes JMP 0000000100250804 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771153d5 5 bytes JMP 0000000100250a08 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771154c2 5 bytes JMP 0000000100250c0c .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771155e2 5 bytes JMP 0000000100250e10 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007711567c 5 bytes JMP 00000001002501f8 .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007711589f 5 bytes JMP 00000001002503fc .text C:\Windows\PLFSetI.exe[2488] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077115a22 5 bytes JMP 0000000100250600 .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[1400] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076b0a2ba 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453b10 5 bytes JMP 000000010023075c .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457ac0 5 bytes JMP 00000001002303a4 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481430 5 bytes JMP 0000000100230b14 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077481490 5 bytes JMP 0000000100230ecc .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 000000010023163c .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774817b0 5 bytes JMP 0000000100231284 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000001002319f4 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe676e00 5 bytes JMP 000007ff7e691dac .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe676f2c 5 bytes JMP 000007ff7e690ecc .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe677220 5 bytes JMP 000007ff7e691284 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe67739c 5 bytes JMP 000007ff7e69163c .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe677538 5 bytes JMP 000007ff7e6919f4 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6775e8 5 bytes JMP 000007ff7e6903a4 .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe67790c 5 bytes JMP 000007ff7e69075c .text C:\Windows\system32\SearchIndexer.exe[148] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe677ab4 5 bytes JMP 000007ff7e690b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2468] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077453b10 5 bytes JMP 00000001002d075c .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077457ac0 5 bytes JMP 00000001002d03a4 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077481360 5 bytes JMP 00000000775e0460 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000774813b0 5 bytes JMP 00000000775e0450 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077481430 5 bytes JMP 00000001002d0b14 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077481490 5 bytes JMP 00000001002d0ecc .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077481510 5 bytes JMP 00000000775e0370 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077481560 5 bytes JMP 00000000775e0470 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077481570 5 bytes JMP 00000001002d163c .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077481620 5 bytes JMP 00000000775e0320 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077481650 5 bytes JMP 00000000775e03b0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077481670 5 bytes JMP 00000000775e0390 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000774816b0 5 bytes JMP 00000000775e02e0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077481730 5 bytes JMP 00000000775e02d0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077481750 5 bytes JMP 00000000775e0310 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077481790 5 bytes JMP 00000000775e03c0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000774817b0 5 bytes JMP 00000001002d1284 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000774817e0 5 bytes JMP 00000000775e03f0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077481940 5 bytes JMP 00000000775e0230 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077481b00 5 bytes JMP 00000000775e0480 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077481b30 5 bytes JMP 00000000775e03a0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077481c10 5 bytes JMP 00000000775e02f0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077481c20 5 bytes JMP 00000000775e0350 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077481c80 5 bytes JMP 00000000775e0290 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077481d10 5 bytes JMP 00000000775e02b0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077481d30 5 bytes JMP 00000000775e03d0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077481d40 5 bytes JMP 00000000775e0330 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077481db0 5 bytes JMP 00000000775e0410 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077481de0 5 bytes JMP 00000000775e0240 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000774820a0 5 bytes JMP 00000000775e01e0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077482160 5 bytes JMP 00000000775e0250 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077482190 5 bytes JMP 00000000775e0490 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000774821a0 5 bytes JMP 00000000775e04a0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000774821d0 5 bytes JMP 00000000775e0300 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000774821e0 5 bytes JMP 00000000775e0360 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077482240 5 bytes JMP 00000000775e02a0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077482290 5 bytes JMP 00000000775e02c0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000774822c0 5 bytes JMP 00000000775e0380 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000774822d0 5 bytes JMP 00000000775e0340 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000774825c0 5 bytes JMP 00000000775e0440 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000774827c0 5 bytes JMP 00000000775e0260 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000774827d0 5 bytes JMP 00000000775e0270 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000774827e0 5 bytes JMP 00000001002d19f4 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000774829a0 5 bytes JMP 00000000775e01f0 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000774829b0 5 bytes JMP 00000000775e0210 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077482a20 5 bytes JMP 00000000775e0200 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077482a80 5 bytes JMP 00000000775e0420 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077482a90 5 bytes JMP 00000000775e0430 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077482aa0 5 bytes JMP 00000000775e0220 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077482b80 5 bytes JMP 00000000775e0280 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007726eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe676e00 5 bytes JMP 000007ff7e691dac .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe676f2c 5 bytes JMP 000007ff7e690ecc .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe677220 5 bytes JMP 000007ff7e691284 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe67739c 5 bytes JMP 000007ff7e69163c .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe677538 5 bytes JMP 000007ff7e6919f4 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe6775e8 5 bytes JMP 000007ff7e6903a4 .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe67790c 5 bytes JMP 000007ff7e69075c .text C:\Windows\System32\svchost.exe[3404] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe677ab4 5 bytes JMP 000007ff7e690b14 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007762fac0 5 bytes JMP 0000000100030600 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007762fb58 5 bytes JMP 0000000100030804 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007762fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077630038 5 bytes JMP 0000000100030a08 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077631920 5 bytes JMP 0000000100030e10 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007764c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077651287 5 bytes JMP 00000001000303fc .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076b0a2ba 1 byte [62] .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000077115181 5 bytes JMP 00000001001d1014 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000077115254 5 bytes JMP 00000001001d0804 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000771153d5 5 bytes JMP 00000001001d0a08 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000771154c2 5 bytes JMP 00000001001d0c0c .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000771155e2 5 bytes JMP 00000001001d0e10 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007711567c 5 bytes JMP 00000001001d01f8 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007711589f 5 bytes JMP 00000001001d03fc .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000077115a22 5 bytes JMP 00000001001d0600 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007548ee09 5 bytes JMP 00000001001e01f8 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075493982 5 bytes JMP 00000001001e03fc .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075497603 5 bytes JMP 00000001001e0804 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007549835c 5 bytes JMP 00000001001e0600 .text C:\Users\emil\Downloads\44js98fw.exe[1124] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000754af52b 5 bytes JMP 00000001001e0a08 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2468:3612] 000007fefee20168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2468:3632] 000007fefb392a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2468:3640] 000007fef227d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2468:3880] 000007fef8f95124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\CurrentControlSet\services\aswKbd Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 28 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 6373537 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\Alwil Software\Avast5 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\Alwil Software\Avast5 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269df160e Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@DisplayName aswKbd Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Group Keyboard Port Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Description avast! keyboard filter driver (aswKbd) Reg HKLM\SYSTEM\ControlSet002\services\aswKbd@Tag 7 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 28 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 6373537 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\Alwil Software\Avast5 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\Alwil Software\Avast5 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\Alwil Software\Avast5\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269df160e (not active ControlSet) ---- EOF - GMER 2.1 ----