GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-02 12:59:03 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9160821AS rev.3.ALC 149,05GB Running: 51y5njhl.exe; Driver: C:\Users\Rysio\AppData\Local\Temp\uglorpod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\wininit.exe[448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\services.exe[528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\services.exe[528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\winlogon.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\lsass.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\lsass.exe[580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000100070490 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[788] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\System32\svchost.exe[836] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\System32\svchost.exe[836] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\System32\svchost.exe[924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\System32\svchost.exe[924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[952] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[444] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[444] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1232] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000100070490 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 00000001000704a0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\taskhost.exe[1556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1848] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000773ab0c5 1 byte [62] .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 0000000077a003e0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 0000000077a00400 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\System32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\sppsvc.exe[2364] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\sppsvc.exe[2364] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe4f6e00 5 bytes JMP 000007ff7e511dac .text C:\Windows\system32\sppsvc.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe4f6f2c 5 bytes JMP 000007ff7e510ecc .text C:\Windows\system32\sppsvc.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe4f7220 5 bytes JMP 000007ff7e511284 .text C:\Windows\system32\sppsvc.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe4f739c 5 bytes JMP 000007ff7e51163c .text C:\Windows\system32\sppsvc.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe4f7538 5 bytes JMP 000007ff7e5119f4 .text C:\Windows\system32\sppsvc.exe[2364] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4f75e8 5 bytes JMP 000007ff7e5103a4 .text C:\Windows\system32\sppsvc.exe[2364] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe4f790c 5 bytes JMP 000007ff7e51075c .text C:\Windows\system32\sppsvc.exe[2364] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe4f7ab4 5 bytes JMP 000007ff7e510b14 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077872fd0 5 bytes JMP 00000001000a075c .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077884a20 5 bytes JMP 00000001000a03a4 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778a0030 5 bytes JMP 00000001000a0b14 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778a0090 5 bytes JMP 00000001000a0ecc .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 00000001000a163c .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778a03b0 5 bytes JMP 00000001000a1284 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 00000001000a19f4 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe4f6e00 5 bytes JMP 000007ff7e511dac .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe4f6f2c 5 bytes JMP 000007ff7e510ecc .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe4f7220 5 bytes JMP 000007ff7e511284 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe4f739c 5 bytes JMP 000007ff7e51163c .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe4f7538 5 bytes JMP 000007ff7e5119f4 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4f75e8 5 bytes JMP 000007ff7e5103a4 .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe4f790c 5 bytes JMP 000007ff7e51075c .text C:\Windows\system32\svchost.exe[2492] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe4f7ab4 5 bytes JMP 000007ff7e510b14 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077872fd0 5 bytes JMP 000000010026075c .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077884a20 5 bytes JMP 00000001002603a4 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778a0030 5 bytes JMP 0000000100260b14 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778a0090 5 bytes JMP 0000000100260ecc .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 000000010026163c .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778a03b0 5 bytes JMP 0000000100261284 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 00000001002619f4 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\Dwm.exe[2640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077872fd0 5 bytes JMP 000000010017075c .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077884a20 5 bytes JMP 00000001001703a4 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778a0030 5 bytes JMP 0000000100170b14 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778a0090 5 bytes JMP 0000000100170ecc .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 000000010017163c .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778a03b0 5 bytes JMP 0000000100171284 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 00000001001719f4 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\Explorer.EXE[2664] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe4f6e00 5 bytes JMP 000007ff7e511dac .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe4f6f2c 5 bytes JMP 000007ff7e510ecc .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe4f7220 5 bytes JMP 000007ff7e511284 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe4f739c 5 bytes JMP 000007ff7e51163c .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe4f7538 5 bytes JMP 000007ff7e5119f4 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4f75e8 5 bytes JMP 000007ff7e5103a4 .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe4f790c 5 bytes JMP 000007ff7e51075c .text C:\Windows\Explorer.EXE[2664] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe4f7ab4 5 bytes JMP 000007ff7e510b14 .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a4fa60 5 bytes JMP 0000000100030600 .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a4faf8 5 bytes JMP 0000000100030804 .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a4fc50 5 bytes JMP 0000000100030c0c .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a4ffd8 5 bytes JMP 0000000100030a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a518c0 5 bytes JMP 0000000100030e10 .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a6c0a2 5 bytes JMP 00000001000301f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a71067 5 bytes JMP 00000001000303fc .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000773ab0c5 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007580f0e6 5 bytes JMP 00000001002401f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075813907 5 bytes JMP 00000001002403fc .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075818364 5 bytes JMP 0000000100240600 .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758206b3 5 bytes JMP 0000000100240804 .text C:\ProgramData\DatacardService\DCSHelper.exe[2768] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075830efc 5 bytes JMP 0000000100240a08 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077872fd0 5 bytes JMP 000000010016075c .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077884a20 5 bytes JMP 00000001001603a4 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778a0030 5 bytes JMP 0000000100160b14 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778a0090 5 bytes JMP 0000000100160ecc .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 000000010016163c .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778a03b0 5 bytes JMP 0000000100161284 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 00000001001619f4 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe4f6e00 5 bytes JMP 000007ff7e511dac .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe4f6f2c 5 bytes JMP 000007ff7e510ecc .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe4f7220 5 bytes JMP 000007ff7e511284 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe4f739c 5 bytes JMP 000007ff7e51163c .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe4f7538 5 bytes JMP 000007ff7e5119f4 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4f75e8 5 bytes JMP 000007ff7e5103a4 .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe4f790c 5 bytes JMP 000007ff7e51075c .text C:\Windows\system32\SearchIndexer.exe[3048] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe4f7ab4 5 bytes JMP 000007ff7e510b14 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077872fd0 5 bytes JMP 000000010021075c .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077884a20 5 bytes JMP 00000001002103a4 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778a0030 5 bytes JMP 0000000100210b14 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778a0090 5 bytes JMP 0000000100210ecc .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 000000010021163c .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778a03b0 5 bytes JMP 0000000100211284 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 00000001002119f4 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe4f6e00 5 bytes JMP 000007ff7e511dac .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe4f6f2c 5 bytes JMP 000007ff7e510ecc .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe4f7220 5 bytes JMP 000007ff7e511284 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe4f739c 5 bytes JMP 000007ff7e51163c .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe4f7538 5 bytes JMP 000007ff7e5119f4 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4f75e8 5 bytes JMP 000007ff7e5103a4 .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe4f790c 5 bytes JMP 000007ff7e51075c .text C:\Windows\system32\taskeng.exe[3032] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe4f7ab4 5 bytes JMP 000007ff7e510b14 .text C:\Program Files\Sony\VAIO Update\VAIOUpdt.exe[2908] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077872fd0 5 bytes JMP 00000001002d075c .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077884a20 5 bytes JMP 00000001002d03a4 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778a0030 5 bytes JMP 00000001002d0b14 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778a0090 5 bytes JMP 00000001002d0ecc .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 00000001002d163c .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778a03b0 5 bytes JMP 00000001002d1284 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 00000001002d19f4 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe4f6e00 5 bytes JMP 000007ff7e511dac .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe4f6f2c 5 bytes JMP 000007ff7e510ecc .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe4f7220 5 bytes JMP 000007ff7e511284 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe4f739c 5 bytes JMP 000007ff7e51163c .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe4f7538 5 bytes JMP 000007ff7e5119f4 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4f75e8 5 bytes JMP 000007ff7e5103a4 .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe4f790c 5 bytes JMP 000007ff7e51075c .text C:\Program Files\Sony\VAIO Update\VUAgent.exe[1580] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe4f7ab4 5 bytes JMP 000007ff7e510b14 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077872fd0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077884a20 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778a0030 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778a0090 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 00000001001c163c .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778a03b0 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 00000001001c19f4 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe4f6e00 5 bytes JMP 000007ff7e511dac .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe4f6f2c 5 bytes JMP 000007ff7e510ecc .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe4f7220 5 bytes JMP 000007ff7e511284 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe4f739c 5 bytes JMP 000007ff7e51163c .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe4f7538 5 bytes JMP 000007ff7e5119f4 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4f75e8 5 bytes JMP 000007ff7e5103a4 .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe4f790c 5 bytes JMP 000007ff7e51075c .text C:\Windows\system32\prevhost.exe[3916] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe4f7ab4 5 bytes JMP 000007ff7e510b14 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077872fd0 5 bytes JMP 000000010029075c .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077884a20 5 bytes JMP 00000001002903a4 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778a0030 5 bytes JMP 0000000100290b14 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778a0090 5 bytes JMP 0000000100290ecc .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 000000010029163c .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778a03b0 5 bytes JMP 0000000100291284 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 00000001002919f4 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\notepad.exe[1168] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe4f6e00 5 bytes JMP 000007ff7e511dac .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe4f6f2c 5 bytes JMP 000007ff7e510ecc .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe4f7220 5 bytes JMP 000007ff7e511284 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe4f739c 5 bytes JMP 000007ff7e51163c .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe4f7538 5 bytes JMP 000007ff7e5119f4 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4f75e8 5 bytes JMP 000007ff7e5103a4 .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe4f790c 5 bytes JMP 000007ff7e51075c .text C:\Windows\notepad.exe[1168] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe4f7ab4 5 bytes JMP 000007ff7e510b14 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077872fd0 5 bytes JMP 00000001002a075c .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077884a20 5 bytes JMP 00000001002a03a4 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007789ff60 5 bytes JMP 0000000077a00460 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007789ffb0 5 bytes JMP 0000000077a00450 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778a0030 5 bytes JMP 00000001002a0b14 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778a0090 5 bytes JMP 00000001002a0ecc .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000778a0110 5 bytes JMP 0000000077a00370 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778a0160 5 bytes JMP 0000000077a00470 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778a0170 5 bytes JMP 00000001002a163c .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778a0220 5 bytes JMP 0000000077a00320 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 5 bytes JMP 0000000077a003b0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000778a0270 5 bytes JMP 0000000077a00390 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778a02b0 5 bytes JMP 0000000077a002e0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778a0330 5 bytes JMP 0000000077a002d0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 5 bytes JMP 0000000077a00310 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 5 bytes JMP 0000000077a003c0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778a03b0 5 bytes JMP 00000001002a1284 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778a03e0 5 bytes JMP 0000000077a003f0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778a0540 5 bytes JMP 0000000077a00230 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778a0700 5 bytes JMP 0000000077a00480 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000778a0730 5 bytes JMP 0000000077a003a0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778a0810 5 bytes JMP 0000000077a002f0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778a0820 5 bytes JMP 0000000077a00350 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778a0880 5 bytes JMP 0000000077a00290 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778a0910 5 bytes JMP 0000000077a002b0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 5 bytes JMP 0000000077a003d0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778a0940 5 bytes JMP 0000000077a00330 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000778a09b0 5 bytes JMP 0000000077a00410 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778a09e0 5 bytes JMP 0000000077a00240 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778a0ca0 5 bytes JMP 0000000077a001e0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778a0d60 5 bytes JMP 0000000077a00250 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778a0d90 5 bytes JMP 0000000077a00490 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778a0da0 5 bytes JMP 0000000077a004a0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778a0dd0 5 bytes JMP 0000000077a00300 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778a0de0 5 bytes JMP 0000000077a00360 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778a0e40 5 bytes JMP 0000000077a002a0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778a0e90 5 bytes JMP 0000000077a002c0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000778a0ec0 5 bytes JMP 0000000077a00380 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778a0ed0 5 bytes JMP 0000000077a00340 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 5 bytes JMP 0000000077a00440 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778a13c0 5 bytes JMP 0000000077a00260 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778a13d0 5 bytes JMP 0000000077a00270 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 5 bytes JMP 00000001002a19f4 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 5 bytes JMP 0000000077a001f0 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778a15b0 5 bytes JMP 0000000077a00210 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778a1620 5 bytes JMP 0000000077a00200 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000778a1680 5 bytes JMP 0000000077a00420 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000778a1690 5 bytes JMP 0000000077a00430 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778a16a0 5 bytes JMP 0000000077a00220 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778a1780 5 bytes JMP 0000000077a00280 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe4f6e00 5 bytes JMP 000007ff7e511dac .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe4f6f2c 5 bytes JMP 000007ff7e510ecc .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe4f7220 5 bytes JMP 000007ff7e511284 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe4f739c 5 bytes JMP 000007ff7e51163c .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe4f7538 5 bytes JMP 000007ff7e5119f4 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe4f75e8 5 bytes JMP 000007ff7e5103a4 .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe4f790c 5 bytes JMP 000007ff7e51075c .text C:\Windows\system32\taskeng.exe[236] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe4f7ab4 5 bytes JMP 000007ff7e510b14 .text C:\Windows\system32\AUDIODG.EXE[3856] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007778f1bd 1 byte [62] .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a4fa60 5 bytes JMP 0000000100030600 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a4faf8 5 bytes JMP 0000000100030804 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a4fc50 5 bytes JMP 0000000100030c0c .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a4ffd8 5 bytes JMP 0000000100030a08 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077a518c0 5 bytes JMP 0000000100030e10 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a6c0a2 5 bytes JMP 00000001000301f8 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a71067 5 bytes JMP 00000001000303fc .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000773ab0c5 1 byte [62] .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076f25181 5 bytes JMP 00000001001d1014 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076f25254 5 bytes JMP 00000001001d0804 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076f253d5 5 bytes JMP 00000001001d0a08 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076f254c2 5 bytes JMP 00000001001d0c0c .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076f255e2 5 bytes JMP 00000001001d0e10 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076f2567c 5 bytes JMP 00000001001d01f8 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076f2589f 5 bytes JMP 00000001001d03fc .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076f25a22 5 bytes JMP 00000001001d0600 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007580f0e6 5 bytes JMP 00000001001f01f8 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075813907 5 bytes JMP 00000001001f03fc .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075818364 5 bytes JMP 00000001001f0600 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000758206b3 5 bytes JMP 00000001001f0804 .text C:\Users\Rysio\Desktop\combofix\51y5njhl.exe[3416] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075830efc 5 bytes JMP 00000001001f0a08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1108:2516] 000007fef759a0ac Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1544:2268] 000007feff923570 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1544:2528] 000007fef6c82a74 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1544:192] 000007fef10adc08 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [1544:2156] 000007fefa785124 ---- Services - GMER 2.1 ---- Service C:\Windows\system32\drivers\aswFsBlk.sys (*** hidden *** ) [AUTO] aswFsBlk <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswMonFlt.sys (*** hidden *** ) [AUTO] aswMonFlt <-- ROOTKIT !!! Service C:\Windows\System32\Drivers\aswrdr2.sys (*** hidden *** ) [SYSTEM] aswRdr <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswRvrt.sys (*** hidden *** ) [BOOT] aswRvrt <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSnx.sys (*** hidden *** ) [SYSTEM] aswSnx <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswSP.sys (*** hidden *** ) [SYSTEM] aswSP <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswTdi.sys (*** hidden *** ) [SYSTEM] aswTdi <-- ROOTKIT !!! Service C:\Windows\system32\drivers\aswVmm.sys (*** hidden *** ) [BOOT] aswVmm <-- ROOTKIT !!! Service C:\Program Files\AVAST Software\Avast\AvastSvc.exe (*** hidden *** ) [AUTO] avast! Antivirus <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 2257 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 3 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 2257 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 0 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. ---- EOF - GMER 2.1 ----