GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-04-26 14:42:05 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0004 465,76GB Running: m57g1hli.exe; Driver: C:\Users\Samsung\AppData\Local\Temp\pxrorpoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031be000 76 bytes [00, 00, 32, 02, 54, 63, 70, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800031be04f 57 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 000000014a370460 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 000000014a370450 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 000000014a370370 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 000000014a370470 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000014a3703e0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 000000014a370320 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 000000014a3703b0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 000000014a370390 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 000000014a3702e0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 000000014a3702d0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 000000014a370310 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 000000014a3703c0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 000000014a3703f0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 000000014a370230 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 000000014a370480 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 000000014a3703a0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 000000014a3702f0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 000000014a370350 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 000000014a370290 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 000000014a3702b0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 000000014a3703d0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 000000014a370330 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 000000014a370410 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 000000014a370240 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 000000014a3701e0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 000000014a370250 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 000000014a370490 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 000000014a3704a0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 000000014a370300 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 000000014a370360 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 000000014a3702a0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 000000014a3702c0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 000000014a370380 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 000000014a370340 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 000000014a370440 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 000000014a370260 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 000000014a370270 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 000000014a370400 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 000000014a3701f0 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 000000014a370210 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 000000014a370200 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 000000014a370420 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 000000014a370430 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 000000014a370220 .text C:\windows\system32\csrss.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 000000014a370280 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\wininit.exe[636] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\wininit.exe[636] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 000000014a370460 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 000000014a370450 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 000000014a370370 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 000000014a370470 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000014a3703e0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 000000014a370320 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 000000014a3703b0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 000000014a370390 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 000000014a3702e0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 000000014a3702d0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 000000014a370310 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 000000014a3703c0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 000000014a3703f0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 000000014a370230 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 000000014a370480 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 000000014a3703a0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 000000014a3702f0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 000000014a370350 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 000000014a370290 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 000000014a3702b0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 000000014a3703d0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 000000014a370330 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 000000014a370410 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 000000014a370240 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 000000014a3701e0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 000000014a370250 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 000000014a370490 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 000000014a3704a0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 000000014a370300 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 000000014a370360 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 000000014a3702a0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 000000014a3702c0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 000000014a370380 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 000000014a370340 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 000000014a370440 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 000000014a370260 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 000000014a370270 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 000000014a370400 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 000000014a3701f0 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 000000014a370210 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 000000014a370200 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 000000014a370420 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 000000014a370430 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 000000014a370220 .text C:\windows\system32\csrss.exe[656] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 000000014a370280 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\services.exe[696] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\services.exe[696] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\lsass.exe[716] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\lsm.exe[724] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000100070460 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000100070450 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000100070370 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000100070470 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001000703e0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000100070320 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000001000703b0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000100070390 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000001000702e0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000001000702d0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000100070310 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000001000703c0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000001000703f0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000100070230 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000100070480 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000001000703a0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000001000702f0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000100070350 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000100070290 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000001000702b0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000001000703d0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000100070330 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000100070410 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000100070240 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000001000701e0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000100070250 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000100070490 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000001000704a0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000100070300 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000100070360 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000001000702a0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000001000702c0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000100070380 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000100070340 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000100070440 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000100070260 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000100070270 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000100070400 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000001000701f0 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000100070210 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000100070200 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000100070420 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000100070430 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000100070220 .text C:\windows\system32\svchost.exe[836] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000100070280 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\nvvsvc.exe[920] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\winlogon.exe[928] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\winlogon.exe[928] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\svchost.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\System32\svchost.exe[428] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\System32\svchost.exe[792] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\System32\svchost.exe[792] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\svchost.exe[648] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\svchost.exe[648] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000100070460 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000100070450 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000100070370 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000100070470 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001000703e0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000100070320 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000001000703b0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000100070390 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000001000702e0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000001000702d0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000100070310 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000001000703c0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000001000703f0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000100070230 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000100070480 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000001000703a0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000001000702f0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000100070350 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000100070290 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000001000702b0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000001000703d0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000100070330 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000100070410 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000100070240 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000001000701e0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000100070250 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000100070490 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000001000704a0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000100070300 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000100070360 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000001000702a0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000001000702c0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000100070380 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000100070340 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000100070440 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000100070260 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000100070270 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000100070400 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000001000701f0 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000100070210 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000100070200 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000100070420 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000100070430 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000100070220 .text C:\windows\system32\svchost.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000100070280 .text C:\windows\system32\svchost.exe[1032] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\svchost.exe[1216] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1372] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\nvvsvc.exe[1384] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\ProgramData\IePluginService\PluginService.exe[1520] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\Dwm.exe[1612] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\Explorer.EXE[1620] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\Explorer.EXE[1620] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1696] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1696] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Program Files (x86)\WinZipper\winzipersvc.exe[1696] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\ProgramData\WPM\wprotectmanager.exe[1860] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\ProgramData\WPM\wprotectmanager.exe[1860] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\ProgramData\WPM\wprotectmanager.exe[1860] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\System32\spoolsv.exe[1976] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\svchost.exe[2004] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe[1404] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files (x86)\Intel\Bluetooth\devmonsrv.exe[1656] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\Intel\BluetoothHS\BTHSSecurityMgr.exe[1608] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe[2084] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[2180] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Norton Internet Security\Engine\18.7.2.3\ccSvcHst.exe[2368] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Bluetooth\obexsrv.exe[2412] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\DllHost.exe[2424] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\taskhost.exe[2620] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[2856] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3260] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Windows\System32\rundll32.exe[3268] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000000770203e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000077020400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3280] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000100070460 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000100070450 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000100070370 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000100070470 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001000703e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000100070320 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000001000703b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000100070390 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000001000702d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000100070310 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000001000703c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000100070230 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000100070480 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000001000702f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000100070350 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000100070290 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000001000702b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000001000703d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000100070330 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000100070410 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000100070240 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000100070250 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000100070490 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000001000704a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000001000702a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000001000702c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000100070440 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000100070260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000100070270 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 0000000100070400 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000100070210 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000100070200 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000100070420 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000100070430 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000100070220 .text C:\Program Files\Windows Sidebar\sidebar.exe[3296] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000100070280 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3304] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3304] C:\windows\syswow64\USER32.dll!GetMenu + 412 00000000762151dd 7 bytes JMP 0000000110053ac0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3304] C:\windows\syswow64\USER32.dll!PeekMessageA + 407 000000007621610b 7 bytes JMP 0000000110053c10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3304] C:\windows\syswow64\USER32.dll!CreateDialogIndirectParamW + 131 000000007621c6c1 7 bytes JMP 0000000110053bf0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3304] C:\windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 000000007625fc98 7 bytes JMP 0000000110053c60 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3304] C:\windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 000000007625fcd1 7 bytes JMP 0000000110053d30 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3304] C:\windows\syswow64\USER32.dll!MessageBoxExA + 31 000000007625fcf5 7 bytes JMP 0000000110053ce0 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3304] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanion.exe[3304] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\Windows\SysWOW64\rundll32.exe[3312] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Windows\SysWOW64\rundll32.exe[3312] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Windows\SysWOW64\rundll32.exe[3312] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\BTPlayerCtrl.exe[3380] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3556] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3556] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3556] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3692] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3692] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3692] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\Users\Samsung\AppData\Local\ConvertAd\ConvertAd.exe[3836] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Users\Samsung\AppData\Local\ConvertAd\ConvertAd.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Users\Samsung\AppData\Local\ConvertAd\ConvertAd.exe[3836] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 000000010018075c .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001001803a4 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 0000000100180b14 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 0000000100180ecc .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000010018163c .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 0000000100181284 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001001819f4 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\system32\svchost.exe[3052] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 000000010035075c .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001003503a4 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 0000000100350b14 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 0000000100350ecc .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000010035163c .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 0000000100351284 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001003519f4 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\system32\SearchIndexer.exe[4128] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 00000001001e075c .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001001e03a4 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 00000001001e0b14 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 00000001001e0ecc .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001001e163c .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 00000001001e1284 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001001e19f4 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\system32\taskeng.exe[4236] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 000000010017075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001001703a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 0000000100170b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 0000000100170ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000010017163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 0000000100171284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001001719f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4464] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4700] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4700] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4700] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4700] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4700] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4700] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4700] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4700] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 00000001003a075c .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001003a03a4 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 00000001003a0b14 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 00000001003a0ecc .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001003a163c .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 00000001003a1284 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001003a19f4 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\system32\taskeng.exe[4984] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 00000001000b1014 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 00000001000b0c0c .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 00000001000b0e10 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Sony\Sony PC Companion\PCCompanionInfo.exe[3392] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 00000001000b0600 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 000000010027075c .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001002703a4 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 0000000100270b14 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 0000000100270ecc .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000010027163c .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 0000000100271284 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001002719f4 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\System32\svchost.exe[568] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\windows\system32\igfxext.exe[5676] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\system32\igfxext.exe[5676] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\system32\igfxext.exe[5676] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\system32\igfxext.exe[5676] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\system32\igfxext.exe[5676] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\system32\igfxext.exe[5676] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\system32\igfxext.exe[5676] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\system32\igfxext.exe[5676] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 00000001004d075c .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001004d03a4 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 00000001004d0b14 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 00000001004d0ecc .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001004d163c .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 00000001004d1284 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001004d19f4 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\system32\igfxsrvc.exe[5712] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[6020] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100250a08 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 000000010034075c .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001003403a4 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 0000000100340b14 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 0000000100340ecc .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000010034163c .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 0000000100341284 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001003419f4 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\system32\DllHost.exe[6028] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 000000010032075c .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001003203a4 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 0000000100320b14 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 0000000100320ecc .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000010032163c .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 0000000100321284 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001003219f4 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe[2256] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000002c1465 2 bytes [2C, 00] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[4420] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000002c14bb 2 bytes [2C, 00] .text ... * 2 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 000000010015075c .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001001503a4 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 0000000100150b14 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 0000000100150ecc .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000010015163c .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 0000000100151284 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001001519f4 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\System32\svchost.exe[5896] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100100600 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100100804 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100100c0c .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100100a08 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100100e10 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001001001f8 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001001003fc .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001001501f8 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001001503fc .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100150804 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100150600 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100150a08 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 0000000100161014 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 0000000100160804 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 0000000100160a08 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 0000000100160c0c .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 0000000100160e10 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001001601f8 .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001001603fc .text C:\windows\SysWOW64\cmd.exe[4372] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 0000000100160600 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 000000010015075c .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001001503a4 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 0000000100150b14 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 0000000100150ecc .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 000000010015163c .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 0000000100151284 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001001519f4 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\windows\system32\conhost.exe[4168] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076daef8d 1 byte [62] .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\windows\system32\conhost.exe[4168] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 00000001000a1014 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 00000001000a0804 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 00000001000a0a08 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 00000001000a0c0c .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 00000001000a0e10 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001000a01f8 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001000a03fc .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 00000001000a0600 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001000f01f8 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001000f03fc .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 00000001000f0804 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 00000001000f0600 .text C:\Users\Samsung\AppData\Local\NativeMessaging\CT3289075\1_0_1_6\TBMessagingHost.exe[2392] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 00000001000f0a08 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5748] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5748] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5748] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5748] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5748] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5748] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\CyberLink\Media+Player10\Media+Player10Serv.exe[5748] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076e93b10 5 bytes JMP 00000001003c075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076e97ac0 5 bytes JMP 00000001003c03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076ec1360 5 bytes JMP 0000000077020460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076ec13b0 5 bytes JMP 0000000077020450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076ec1430 5 bytes JMP 00000001003c0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076ec1490 5 bytes JMP 00000001003c0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076ec1510 5 bytes JMP 0000000077020370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076ec1560 5 bytes JMP 0000000077020470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076ec1570 5 bytes JMP 00000001003c163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076ec1620 5 bytes JMP 0000000077020320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076ec1650 5 bytes JMP 00000000770203b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076ec1670 5 bytes JMP 0000000077020390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076ec16b0 5 bytes JMP 00000000770202e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076ec1730 5 bytes JMP 00000000770202d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076ec1750 5 bytes JMP 0000000077020310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076ec1790 5 bytes JMP 00000000770203c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076ec17b0 5 bytes JMP 00000001003c1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076ec17e0 5 bytes JMP 00000000770203f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076ec1940 5 bytes JMP 0000000077020230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076ec1b00 5 bytes JMP 0000000077020480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076ec1b30 5 bytes JMP 00000000770203a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076ec1c10 5 bytes JMP 00000000770202f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076ec1c20 5 bytes JMP 0000000077020350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076ec1c80 5 bytes JMP 0000000077020290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076ec1d10 5 bytes JMP 00000000770202b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076ec1d30 5 bytes JMP 00000000770203d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076ec1d40 5 bytes JMP 0000000077020330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076ec1db0 5 bytes JMP 0000000077020410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076ec1de0 5 bytes JMP 0000000077020240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076ec20a0 5 bytes JMP 00000000770201e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076ec2160 5 bytes JMP 0000000077020250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076ec2190 5 bytes JMP 0000000077020490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076ec21a0 5 bytes JMP 00000000770204a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076ec21d0 5 bytes JMP 0000000077020300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076ec21e0 5 bytes JMP 0000000077020360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076ec2240 5 bytes JMP 00000000770202a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076ec2290 5 bytes JMP 00000000770202c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076ec22c0 5 bytes JMP 0000000077020380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076ec22d0 5 bytes JMP 0000000077020340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076ec25c0 5 bytes JMP 0000000077020440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076ec27c0 5 bytes JMP 0000000077020260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076ec27d0 5 bytes JMP 0000000077020270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076ec27e0 5 bytes JMP 00000001003c19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076ec29a0 5 bytes JMP 00000000770201f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076ec29b0 5 bytes JMP 0000000077020210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076ec2a20 5 bytes JMP 0000000077020200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076ec2a80 5 bytes JMP 0000000077020420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076ec2a90 5 bytes JMP 0000000077020430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076ec2aa0 5 bytes JMP 0000000077020220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076ec2b80 5 bytes JMP 0000000077020280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[5008] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3876] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefd776e00 5 bytes JMP 000007ff7d791dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3876] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefd776f2c 5 bytes JMP 000007ff7d790ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3876] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefd777220 5 bytes JMP 000007ff7d791284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3876] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefd77739c 5 bytes JMP 000007ff7d79163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3876] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefd777538 5 bytes JMP 000007ff7d7919f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3876] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefd7775e8 5 bytes JMP 000007ff7d7903a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3876] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefd77790c 5 bytes JMP 000007ff7d79075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3876] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefd777ab4 5 bytes JMP 000007ff7d790b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5280] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Microsoft\BingBar\7.3.132.0\SeaPort.exe[6068] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe[6380] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001003001f8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001003003fc .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100300804 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100300600 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100300a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe[1128] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe[1752] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 ? C:\windows\system32\mssprxy.dll [1752] entry point in ".rdata" section 00000000712571e6 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100120a08 .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077021465 2 bytes [02, 77] .text C:\Program Files (x86)\WinZipper\WinZipper.exe[4616] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000770214bb 2 bytes [02, 77] .text ... * 2 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007706fac0 5 bytes JMP 0000000100030600 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007706fb58 5 bytes JMP 0000000100030804 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007706fcb0 5 bytes JMP 0000000100030c0c .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077070038 5 bytes JMP 0000000100030a08 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077071920 5 bytes JMP 0000000100030e10 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007708c4dd 5 bytes JMP 00000001000301f8 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077091287 5 bytes JMP 00000001000303fc .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000764fa2fd 1 byte [62] .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076925181 5 bytes JMP 0000000100241014 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076925254 5 bytes JMP 0000000100240804 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000769253d5 5 bytes JMP 0000000100240a08 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000769254c2 5 bytes JMP 0000000100240c0c .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000769255e2 5 bytes JMP 0000000100240e10 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\sechost.dll!CreateServiceA 000000007692567c 5 bytes JMP 00000001002401f8 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\sechost.dll!CreateServiceW 000000007692589f 5 bytes JMP 00000001002403fc .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000076925a22 5 bytes JMP 0000000100240600 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007620ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076213982 5 bytes JMP 00000001002503fc .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076217603 5 bytes JMP 0000000100250804 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007621835c 5 bytes JMP 0000000100250600 .text C:\Users\Samsung\AppData\Local\Temp\WzE9CAC.tmp\m57g1hli.exe[2536] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007622f52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\windows\System32\svchost.exe [5896:6560] 000007fef5c79688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{3E166CB3-375F-419A-8616-5DC9D8AD543B}\Connection@Name isatap.{0B0EF99B-4C4B-479B-BBE4-AFB46D883FFB} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{3E166CB3-375F-419A-8616-5DC9D8AD543B}?\Device\{A16F3FE2-642A-452E-BCAF-810702041EE3}?\Device\{4A1F1F35-F791-4605-91AD-2CB100E631C4}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{3E166CB3-375F-419A-8616-5DC9D8AD543B}"?"{A16F3FE2-642A-452E-BCAF-810702041EE3}"?"{4A1F1F35-F791-4605-91AD-2CB100E631C4}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{3E166CB3-375F-419A-8616-5DC9D8AD543B}?\Device\TCPIP6TUNNEL_{A16F3FE2-642A-452E-BCAF-810702041EE3}?\Device\TCPIP6TUNNEL_{4A1F1F35-F791-4605-91AD-2CB100E631C4}? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 493 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 13108786 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002454f1df46 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b4749f59338f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b803058059e8 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b803058059e8@1c7b213d35e3 0x42 0xC3 0x6C 0x08 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca9710db474 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{3E166CB3-375F-419A-8616-5DC9D8AD543B}@InterfaceName isatap.{0B0EF99B-4C4B-479B-BBE4-AFB46D883FFB} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{3E166CB3-375F-419A-8616-5DC9D8AD543B}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 493 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 13108786 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 10 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002454f1df46 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b4749f59338f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b803058059e8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b803058059e8@1c7b213d35e3 0x42 0xC3 0x6C 0x08 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca9710db474 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----