GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-02 09:13:03 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\00000063 WDC_WD50 rev.01.0 465,76GB Running: 15pg0zm0.exe; Driver: C:\Users\lupus\AppData\Local\Temp\kwddqkod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031b9000 45 bytes [00, 00, 16, 02, 4E, 74, 66, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031b902f 10 bytes [00, 01, 00, 06, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000149de0460 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000149de0450 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000149de0370 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000149de0470 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000149de03e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000149de0320 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000149de03b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000149de0390 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000149de02e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000149de02d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000149de0310 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000149de03c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000149de03f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000149de0230 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000149de0480 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000149de03a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000149de02f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000149de0350 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000149de0290 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000149de02b0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000149de03d0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000149de0330 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000149de0410 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000149de0240 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000149de01e0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000149de0250 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000149de0490 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000149de04a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000149de0300 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000149de0360 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000149de02a0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000149de02c0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000149de0380 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000149de0340 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000149de0440 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000149de0260 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000149de0270 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000149de0400 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000149de01f0 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000149de0210 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000149de0200 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000149de0420 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000149de0430 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000149de0220 .text C:\Windows\system32\csrss.exe[416] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000149de0280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000149de0460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000149de0450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000149de0370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000149de0470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000149de03e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000149de0320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000149de03b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000149de0390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000149de02e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000149de02d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000149de0310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000149de03c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000149de03f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000149de0230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000149de0480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000149de03a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000149de02f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000149de0350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000149de0290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000149de02b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000149de03d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000149de0330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000149de0410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000149de0240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000149de01e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000149de0250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000149de0490 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000149de04a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000149de0300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000149de0360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000149de02a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000149de02c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000149de0380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000149de0340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000149de0440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000149de0260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000149de0270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000149de0400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000149de01f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000149de0210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000149de0200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000149de0420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000149de0430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000149de0220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000149de0280 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\services.exe[548] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\services.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\winlogon.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\lsass.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\lsm.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[824] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\atiesrxx.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\System32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\System32\svchost.exe[952] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\System32\svchost.exe[988] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\System32\svchost.exe[988] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[340] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[1084] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\atieclxx.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[1700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752ba2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752ba2ba 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000747e17fa 2 bytes CALL 752911a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000747e1860 2 bytes CALL 752911a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000747e1a22 2 bytes [7E, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000747e1ad0 2 bytes [7E, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000747e1b08 2 bytes [7E, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074d11401 2 bytes JMP 752bb1d3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074d11419 2 bytes JMP 752bb2fe C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074d11431 2 bytes JMP 75338939 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074d1144a 2 bytes CALL 75294885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074d114dd 2 bytes JMP 75338232 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074d114f5 2 bytes JMP 75338408 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074d1150d 2 bytes JMP 75338128 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074d11525 2 bytes JMP 753384f2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074d1153d 2 bytes JMP 752afc70 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074d11555 2 bytes JMP 752b68b7 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074d1156d 2 bytes JMP 753389f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074d11585 2 bytes JMP 75338552 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074d1159d 2 bytes JMP 753380ec C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074d115b5 2 bytes JMP 752afd09 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074d115cd 2 bytes JMP 752bb294 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074d116b2 2 bytes JMP 753388b4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[1360] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074d116bd 2 bytes JMP 75338081 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752ba2ba 1 byte [62] .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000074d11401 2 bytes JMP 752bb1d3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000074d11419 2 bytes JMP 752bb2fe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000074d11431 2 bytes JMP 75338939 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000074d1144a 2 bytes CALL 75294885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000074d114dd 2 bytes JMP 75338232 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000074d114f5 2 bytes JMP 75338408 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000074d1150d 2 bytes JMP 75338128 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000074d11525 2 bytes JMP 753384f2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000074d1153d 2 bytes JMP 752afc70 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000074d11555 2 bytes JMP 752b68b7 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000074d1156d 2 bytes JMP 753389f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000074d11585 2 bytes JMP 75338552 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000074d1159d 2 bytes JMP 753380ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000074d115b5 2 bytes JMP 752afd09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000074d115cd 2 bytes JMP 752bb294 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000074d116b2 2 bytes JMP 753388b4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe[1220] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000074d116bd 2 bytes JMP 75338081 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1320] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[1788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\svchost.exe[1864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\taskhost.exe[2768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000100070460 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000100070370 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000100070470 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000100070320 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000100070390 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000100070310 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000100070230 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000100070480 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000100070350 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000100070290 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000100070330 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000100070250 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000100070490 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\Dwm.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\Explorer.EXE[3068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\Explorer.EXE[3068] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Program Files\Windows Sidebar\sidebar.exe[2496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\wbem\wmiprvse.exe[2204] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[912] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752ba2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074d11401 2 bytes JMP 752bb1d3 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074d11419 2 bytes JMP 752bb2fe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074d11431 2 bytes JMP 75338939 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074d1144a 2 bytes CALL 75294885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074d114dd 2 bytes JMP 75338232 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074d114f5 2 bytes JMP 75338408 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074d1150d 2 bytes JMP 75338128 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074d11525 2 bytes JMP 753384f2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074d1153d 2 bytes JMP 752afc70 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074d11555 2 bytes JMP 752b68b7 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074d1156d 2 bytes JMP 753389f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074d11585 2 bytes JMP 75338552 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074d1159d 2 bytes JMP 753380ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074d115b5 2 bytes JMP 752afd09 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074d115cd 2 bytes JMP 752bb294 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074d116b2 2 bytes JMP 753388b4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[1944] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074d116bd 2 bytes JMP 75338081 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[704] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075298769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[704] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752ba2ba 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[2708] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752ba2ba 1 byte [62] .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\System32\svchost.exe[3216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\taskeng.exe[2764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Users\lupus\Downloads\FRST64 (1).exe[4456] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076e21360 5 bytes JMP 0000000076f80460 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076e213b0 5 bytes JMP 0000000076f80450 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000076e21510 5 bytes JMP 0000000076f80370 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076e21560 5 bytes JMP 0000000076f80470 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076e21570 5 bytes JMP 0000000076f803e0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076e21620 5 bytes JMP 0000000076f80320 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076e21650 5 bytes JMP 0000000076f803b0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000076e21670 5 bytes JMP 0000000076f80390 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076e216b0 5 bytes JMP 0000000076f802e0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076e21730 5 bytes JMP 0000000076f802d0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076e21750 5 bytes JMP 0000000076f80310 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076e21790 5 bytes JMP 0000000076f803c0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076e217e0 5 bytes JMP 0000000076f803f0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076e21940 5 bytes JMP 0000000076f80230 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076e21b00 5 bytes JMP 0000000076f80480 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076e21b30 5 bytes JMP 0000000076f803a0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076e21c10 5 bytes JMP 0000000076f802f0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076e21c20 5 bytes JMP 0000000076f80350 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076e21c80 5 bytes JMP 0000000076f80290 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076e21d10 5 bytes JMP 0000000076f802b0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076e21d30 5 bytes JMP 0000000076f803d0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076e21d40 5 bytes JMP 0000000076f80330 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076e21db0 5 bytes JMP 0000000076f80410 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076e21de0 5 bytes JMP 0000000076f80240 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076e220a0 5 bytes JMP 0000000076f801e0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076e22160 5 bytes JMP 0000000076f80250 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076e22190 5 bytes JMP 0000000076f80490 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076e221a0 5 bytes JMP 0000000076f804a0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076e221d0 5 bytes JMP 0000000076f80300 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076e221e0 5 bytes JMP 0000000076f80360 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076e22240 5 bytes JMP 0000000076f802a0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076e22290 5 bytes JMP 0000000076f802c0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000076e222c0 5 bytes JMP 0000000076f80380 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076e222d0 5 bytes JMP 0000000076f80340 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076e225c0 5 bytes JMP 0000000076f80440 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076e227c0 5 bytes JMP 0000000076f80260 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076e227d0 5 bytes JMP 0000000076f80270 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076e227e0 5 bytes JMP 0000000076f80400 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076e229a0 5 bytes JMP 0000000076f801f0 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076e229b0 5 bytes JMP 0000000076f80210 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076e22a20 5 bytes JMP 0000000076f80200 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076e22a80 5 bytes JMP 0000000076f80420 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076e22a90 5 bytes JMP 0000000076f80430 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076e22aa0 5 bytes JMP 0000000076f80220 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076e22b80 5 bytes JMP 0000000076f80280 .text C:\Windows\system32\AUDIODG.EXE[5048] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076c0eecd 1 byte [62] .text C:\Users\lupus\Downloads\15pg0zm0.exe[816] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000752ba2ba 1 byte [62] ---- EOF - GMER 2.1 ----