GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-19 11:12:44 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320325AS rev.0003DEM1 298,09GB Running: gmer.exe; Driver: C:\Users\JERZY\AppData\Local\Temp\awddykog.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0xffffffff885bee90} .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0xffffffff885be890} .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0xffffffff885be590} .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0xffffffff885be090} .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0xffffffff885bdb90} .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\wininit.exe[448] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\wininit.exe[448] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0xffffffff885bee90} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0xffffffff885be890} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0xffffffff885be590} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0xffffffff885be090} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0xffffffff885bdb90} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\services.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\services.exe[508] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\winlogon.exe[540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\lsass.exe[568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\lsm.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\svchost.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\svchost.exe[680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\svchost.exe[772] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\System32\svchost.exe[860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\System32\svchost.exe[860] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\System32\svchost.exe[908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0xffffffff8850ee90} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0xffffffff8850e890} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0xffffffff8850e590} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0xffffffff8850e090} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0xffffffff8850db90} .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[352] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[352] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\svchost.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\svchost.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\svchost.exe[1060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\System32\spoolsv.exe[1328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\svchost.exe[1384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1500] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007706a30a 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1544] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d0faa0 5 bytes JMP 0000000100030600 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d0fb38 5 bytes JMP 0000000100030804 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d0fc90 5 bytes JMP 0000000100030c0c .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d10018 5 bytes JMP 0000000100030a08 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d2c45a 5 bytes JMP 00000001000301f8 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d31217 5 bytes JMP 00000001000303fc .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007706a30a 1 byte [62] .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007625ee09 5 bytes JMP 00000001003401f8 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076263982 5 bytes JMP 00000001003403fc .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076267603 5 bytes JMP 0000000100340804 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007626835c 5 bytes JMP 0000000100340600 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007627f52b 5 bytes JMP 0000000100340a08 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076225181 5 bytes JMP 0000000100351014 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076225254 5 bytes JMP 0000000100350804 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762253d5 5 bytes JMP 0000000100350a08 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762254c2 5 bytes JMP 0000000100350c0c .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762255e2 5 bytes JMP 0000000100350e10 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007622567c 5 bytes JMP 00000001003501f8 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007622589f 5 bytes JMP 00000001003503fc .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[1980] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076225a22 5 bytes JMP 0000000100350600 .text C:\Windows\System32\WUDFHost.exe[2056] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe346e00 5 bytes JMP 000007ff7e361dac .text C:\Windows\System32\WUDFHost.exe[2056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe346f2c 5 bytes JMP 000007ff7e360ecc .text C:\Windows\System32\WUDFHost.exe[2056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe347220 5 bytes JMP 000007ff7e361284 .text C:\Windows\System32\WUDFHost.exe[2056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe34739c 5 bytes JMP 000007ff7e36163c .text C:\Windows\System32\WUDFHost.exe[2056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe347538 5 bytes JMP 000007ff7e3619f4 .text C:\Windows\System32\WUDFHost.exe[2056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3475e8 5 bytes JMP 000007ff7e3603a4 .text C:\Windows\System32\WUDFHost.exe[2056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe34790c 5 bytes JMP 000007ff7e36075c .text C:\Windows\System32\WUDFHost.exe[2056] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe347ab4 5 bytes JMP 000007ff7e360b14 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b33ae0 5 bytes JMP 000000010011075c .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b37a90 5 bytes JMP 00000001001103a4 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b61490 5 bytes JMP 0000000100110b14 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b614f0 5 bytes JMP 0000000100110ecc .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 000000010011163c .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b61810 5 bytes JMP 0000000100111284 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe346e00 5 bytes JMP 000007ff7e361dac .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe346f2c 5 bytes JMP 000007ff7e360ecc .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe347220 5 bytes JMP 000007ff7e361284 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe34739c 5 bytes JMP 000007ff7e36163c .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe347538 5 bytes JMP 000007ff7e3619f4 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3475e8 5 bytes JMP 000007ff7e3603a4 .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe34790c 5 bytes JMP 000007ff7e36075c .text C:\Windows\system32\Dwm.exe[2364] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe347ab4 5 bytes JMP 000007ff7e360b14 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b33ae0 5 bytes JMP 000000010032075c .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b37a90 5 bytes JMP 00000001003203a4 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b61490 5 bytes JMP 0000000100320b14 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b614f0 5 bytes JMP 0000000100320ecc .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 000000010032163c .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b61810 5 bytes JMP 0000000100321284 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe346e00 5 bytes JMP 000007ff7e361dac .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe346f2c 5 bytes JMP 000007ff7e360ecc .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe347220 5 bytes JMP 000007ff7e361284 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe34739c 5 bytes JMP 000007ff7e36163c .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe347538 5 bytes JMP 000007ff7e3619f4 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3475e8 5 bytes JMP 000007ff7e3603a4 .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe34790c 5 bytes JMP 000007ff7e36075c .text C:\Windows\system32\taskhost.exe[2376] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe347ab4 5 bytes JMP 000007ff7e360b14 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b33ae0 5 bytes JMP 000000010023075c .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b37a90 5 bytes JMP 00000001002303a4 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b61490 5 bytes JMP 0000000100230b14 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b614f0 5 bytes JMP 0000000100230ecc .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 000000010023163c .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b61810 5 bytes JMP 0000000100231284 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\Explorer.EXE[2592] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe346e00 5 bytes JMP 000007ff7e361dac .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe346f2c 5 bytes JMP 000007ff7e360ecc .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe347220 5 bytes JMP 000007ff7e361284 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe34739c 5 bytes JMP 000007ff7e36163c .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe347538 5 bytes JMP 000007ff7e3619f4 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3475e8 5 bytes JMP 000007ff7e3603a4 .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe34790c 5 bytes JMP 000007ff7e36075c .text C:\Windows\Explorer.EXE[2592] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe347ab4 5 bytes JMP 000007ff7e360b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b33ae0 5 bytes JMP 000000010019075c .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b37a90 5 bytes JMP 00000001001903a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b61490 5 bytes JMP 0000000100190b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b614f0 5 bytes JMP 0000000100190ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 000000010019163c .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b61810 5 bytes JMP 0000000100191284 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe346e00 5 bytes JMP 000007ff7e361dac .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe346f2c 5 bytes JMP 000007ff7e360ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe347220 5 bytes JMP 000007ff7e361284 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe34739c 5 bytes JMP 000007ff7e36163c .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe347538 5 bytes JMP 000007ff7e3619f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3475e8 5 bytes JMP 000007ff7e3603a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe34790c 5 bytes JMP 000007ff7e36075c .text C:\Program Files\Windows Sidebar\sidebar.exe[2756] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe347ab4 5 bytes JMP 000007ff7e360b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2860] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007706a30a 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d0faa0 5 bytes JMP 0000000100030600 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d0fb38 5 bytes JMP 0000000100030804 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d0fc90 5 bytes JMP 0000000100030c0c .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d10018 5 bytes JMP 0000000100030a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d2c45a 5 bytes JMP 00000001000301f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d31217 5 bytes JMP 00000001000303fc .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007706a30a 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007625ee09 5 bytes JMP 00000001002401f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076263982 5 bytes JMP 00000001002403fc .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076267603 5 bytes JMP 0000000100240804 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007626835c 5 bytes JMP 0000000100240600 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007627f52b 5 bytes JMP 0000000100240a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076225181 5 bytes JMP 0000000100251014 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076225254 5 bytes JMP 0000000100250804 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762253d5 5 bytes JMP 0000000100250a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762254c2 5 bytes JMP 0000000100250c0c .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762255e2 5 bytes JMP 0000000100250e10 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007622567c 5 bytes JMP 00000001002501f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007622589f 5 bytes JMP 00000001002503fc .text C:\ProgramData\DatacardService\DCSHelper.exe[2888] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076225a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d0faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d0fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d0fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d10018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d2c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d31217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007706a30a 1 byte [62] .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007625ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076263982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076267603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007626835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007627f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076225181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076225254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762253d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762254c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762255e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007622567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007622589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\CryptoTech\CryptoCard\CCMonitor.exe[2932] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076225a22 5 bytes JMP 0000000100250600 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b33ae0 5 bytes JMP 000000010025075c .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b37a90 5 bytes JMP 00000001002503a4 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b61490 5 bytes JMP 0000000100250b14 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b614f0 5 bytes JMP 0000000100250ecc .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 000000010025163c .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b61810 5 bytes JMP 0000000100251284 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe346e00 5 bytes JMP 000007ff7e361dac .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe346f2c 5 bytes JMP 000007ff7e360ecc .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe347220 5 bytes JMP 000007ff7e361284 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe34739c 5 bytes JMP 000007ff7e36163c .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe347538 5 bytes JMP 000007ff7e3619f4 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3475e8 5 bytes JMP 000007ff7e3603a4 .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe34790c 5 bytes JMP 000007ff7e36075c .text C:\Windows\system32\SearchIndexer.exe[2464] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe347ab4 5 bytes JMP 000007ff7e360b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b33ae0 5 bytes JMP 00000001001e075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b37a90 5 bytes JMP 00000001001e03a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b61490 5 bytes JMP 00000001001e0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b614f0 5 bytes JMP 00000001001e0ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 00000001001e163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b61810 5 bytes JMP 00000001001e1284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2192] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b33ae0 5 bytes JMP 00000001001b075c .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b37a90 5 bytes JMP 00000001001b03a4 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b61490 5 bytes JMP 00000001001b0b14 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b614f0 5 bytes JMP 00000001001b0ecc .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 00000001001b163c .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b61810 5 bytes JMP 00000001001b1284 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe346e00 5 bytes JMP 000007ff7e361dac .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe346f2c 5 bytes JMP 000007ff7e360ecc .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe347220 5 bytes JMP 000007ff7e361284 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe34739c 5 bytes JMP 000007ff7e36163c .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe347538 5 bytes JMP 000007ff7e3619f4 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3475e8 5 bytes JMP 000007ff7e3603a4 .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe34790c 5 bytes JMP 000007ff7e36075c .text C:\Windows\System32\svchost.exe[2112] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe347ab4 5 bytes JMP 000007ff7e360b14 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d0faa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d0fb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d0fc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d10018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d2c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d31217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007706a30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007625ee09 5 bytes JMP 00000001001501f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076263982 5 bytes JMP 00000001001503fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076267603 5 bytes JMP 0000000100150804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007626835c 5 bytes JMP 0000000100150600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007627f52b 5 bytes JMP 0000000100150a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076225181 5 bytes JMP 0000000100161014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076225254 5 bytes JMP 0000000100160804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762253d5 5 bytes JMP 0000000100160a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762254c2 5 bytes JMP 0000000100160c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762255e2 5 bytes JMP 0000000100160e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007622567c 5 bytes JMP 00000001001601f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007622589f 5 bytes JMP 00000001001603fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076225a22 5 bytes JMP 0000000100160600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077cc1401 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077cc1419 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077cc1431 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000077cc144a 2 bytes [CC, 77] .text ... * 9 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000077cc14dd 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000077cc14f5 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000077cc150d 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077cc1525 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000077cc153d 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077cc1555 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000077cc156d 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077cc1585 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000077cc159d 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000077cc15b5 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000077cc15cd 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000077cc16b2 2 bytes [CC, 77] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_5_502_146_ActiveX.exe[3800] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000077cc16bd 2 bytes [CC, 77] .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b33ae0 5 bytes JMP 00000001003b075c .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b37a90 5 bytes JMP 00000001003b03a4 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b61490 5 bytes JMP 00000001003b0b14 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b614f0 5 bytes JMP 00000001003b0ecc .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 00000001003b163c .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b61810 5 bytes JMP 00000001003b1284 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe346e00 5 bytes JMP 000007ff7e361dac .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe346f2c 5 bytes JMP 000007ff7e360ecc .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe347220 5 bytes JMP 000007ff7e361284 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe34739c 5 bytes JMP 000007ff7e36163c .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe347538 5 bytes JMP 000007ff7e3619f4 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3475e8 5 bytes JMP 000007ff7e3603a4 .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe34790c 5 bytes JMP 000007ff7e36075c .text C:\Windows\System32\svchost.exe[732] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe347ab4 5 bytes JMP 000007ff7e360b14 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 0000000077cc03b0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Windows\system32\AUDIODG.EXE[3756] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077b33ae0 5 bytes JMP 00000001001a075c .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077b37a90 5 bytes JMP 00000001001a03a4 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077b613c0 5 bytes JMP 0000000077cc0440 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077b61410 5 bytes JMP 0000000077cc0430 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077b61490 5 bytes JMP 00000001001a0b14 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077b614f0 5 bytes JMP 00000001001a0ecc .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077b615c0 1 byte JMP 0000000077cc0450 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077b615c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077b615d0 5 bytes JMP 00000001001a163c .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077b61680 5 bytes JMP 0000000077cc0320 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077b616b0 5 bytes JMP 0000000077cc0380 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077b61710 5 bytes JMP 0000000077cc02e0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077b61760 5 bytes JMP 0000000077cc0410 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077b61790 5 bytes JMP 0000000077cc02d0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077b617b0 5 bytes JMP 0000000077cc0310 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077b617f0 5 bytes JMP 0000000077cc0390 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077b61810 5 bytes JMP 00000001001a1284 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077b61840 5 bytes JMP 0000000077cc03c0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077b619a0 1 byte JMP 0000000077cc0230 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077b619a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077b61b60 5 bytes JMP 0000000077cc0460 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077b61b90 5 bytes JMP 0000000077cc0370 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077b61c70 5 bytes JMP 0000000077cc02f0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077b61c80 5 bytes JMP 0000000077cc0350 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077b61ce0 5 bytes JMP 0000000077cc0290 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077b61d70 5 bytes JMP 0000000077cc02b0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077b61d90 5 bytes JMP 0000000077cc03a0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077b61da0 1 byte JMP 0000000077cc0330 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077b61da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077b61e10 5 bytes JMP 0000000077cc03e0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077b61e40 5 bytes JMP 0000000077cc0240 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077b62100 5 bytes JMP 0000000077cc01e0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077b621c0 1 byte JMP 0000000077cc0250 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077b621c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077b621f0 5 bytes JMP 0000000077cc0470 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077b62200 5 bytes JMP 0000000077cc0480 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077b62230 5 bytes JMP 0000000077cc0300 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077b62240 5 bytes JMP 0000000077cc0360 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077b622a0 5 bytes JMP 0000000077cc02a0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077b622f0 5 bytes JMP 0000000077cc02c0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077b62330 5 bytes JMP 0000000077cc0340 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077b62620 5 bytes JMP 0000000077cc0420 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077b62820 5 bytes JMP 0000000077cc0260 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077b62830 5 bytes JMP 0000000077cc0270 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077b62840 1 byte JMP 0000000077cc03d0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077b62842 3 bytes {JMP 0x15db90} .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077b62a00 5 bytes JMP 0000000077cc01f0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077b62a10 5 bytes JMP 0000000077cc0210 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077b62a80 5 bytes JMP 0000000077cc0200 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077b62ae0 5 bytes JMP 0000000077cc03f0 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077b62af0 5 bytes JMP 0000000077cc0400 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077b62b00 5 bytes JMP 0000000077cc0220 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077b62be0 5 bytes JMP 0000000077cc0280 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000776eeecd 1 byte [62] .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe346e00 5 bytes JMP 000007ff7e361dac .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe346f2c 5 bytes JMP 000007ff7e360ecc .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe347220 5 bytes JMP 000007ff7e361284 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe34739c 5 bytes JMP 000007ff7e36163c .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe347538 5 bytes JMP 000007ff7e3619f4 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe3475e8 5 bytes JMP 000007ff7e3603a4 .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe34790c 5 bytes JMP 000007ff7e36075c .text C:\Program Files\Microsoft Games\solitaire\solitaire.exe[1200] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe347ab4 5 bytes JMP 000007ff7e360b14 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d0faa0 5 bytes JMP 0000000100030600 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d0fb38 5 bytes JMP 0000000100030804 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d0fc90 5 bytes JMP 0000000100030c0c .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d10018 5 bytes JMP 0000000100030a08 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077d2c45a 5 bytes JMP 00000001000301f8 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077d31217 5 bytes JMP 00000001000303fc .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007706a30a 1 byte [62] .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076225181 5 bytes JMP 00000001001d1014 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076225254 5 bytes JMP 00000001001d0804 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000762253d5 5 bytes JMP 00000001001d0a08 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000762254c2 5 bytes JMP 00000001001d0c0c .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000762255e2 5 bytes JMP 00000001001d0e10 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007622567c 5 bytes JMP 00000001001d01f8 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007622589f 5 bytes JMP 00000001001d03fc .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076225a22 5 bytes JMP 00000001001d0600 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007625ee09 5 bytes JMP 00000001001e01f8 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076263982 5 bytes JMP 00000001001e03fc .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076267603 5 bytes JMP 00000001001e0804 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007626835c 5 bytes JMP 00000001001e0600 .text C:\Users\JERZY\Desktop\GMER\gmer\gmer.exe[2196] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007627f52b 5 bytes JMP 00000001001e0a08 ---- Threads - GMER 2.0 ---- Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1232] 0000000077d42e25 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1236] 0000000073e3345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1248] 0000000076227587 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1260] 0000000073b88d60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1280] 0000000073926fe0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1284] 0000000073926900 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1680] 000000007391c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1684] 000000007391c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1688] 000000007391c220 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1692] 000000007391d470 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1696] 000000007391ca80 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1700] 00000000739386a0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1704] 0000000073937480 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1708] 0000000073937850 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1712] 000000007391e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1716] 000000007391e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1720] 000000007391e780 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1724] 00000000732712f0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1728] 0000000073272c10 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1732] 0000000073272c10 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1736] 0000000073241070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1740] 0000000073e3345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1744] 0000000073e3345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1748] 00000000731f12f0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1752] 00000000731d1000 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1756] 0000000073927b60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1760] 000000007391e280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1764] 0000000073e3345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1768] 0000000073a35400 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1772] 00000000732416a0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1808] 00000000730b6120 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1820] 00000000731d1280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1840] 0000000072dc1670 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1844] 0000000072dc1840 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1848] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1852] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1856] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1860] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1864] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1868] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1872] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1876] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1880] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1884] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1888] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1892] 0000000073b84290 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1896] 0000000073e3345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1904] 0000000073b88650 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1908] 0000000073b928c0 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1912] 0000000073b96680 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1916] 0000000073b89280 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1924] 0000000073b8b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1928] 0000000073b8b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1932] 0000000073b8b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1936] 0000000073b8b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1940] 0000000073b8b070 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1944] 0000000073b90a60 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1948] 0000000073e3345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1972] 00000000730062ee Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:2004] 0000000077d43e45 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:3864] 0000000073e3345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:3868] 0000000073e3345e Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:4064] 0000000077d43e45 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:4076] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:4012] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:3980] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:844] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1164] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:884] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:1208] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:3600] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:3656] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:3952] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:3576] 0000000073e332ce Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:2016] 0000000077d43e45 Thread C:\Program Files\AVAST Software\Avast\AvastSvc.exe [1148:2132] 0000000077d43e45 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2192:1964] 000007feffc20168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2192:3152] 000007fefc682a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2192:3160] 000007fef2a5d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2192:3252] 000007fefb9a5124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2192:2332] 000007feffc20168 Thread C:\Windows\System32\svchost.exe [732:3380] 000007fef1cf9688 ---- Processes - GMER 2.0 ---- Library ? (*** suspicious ***) @ C:\Program Files\Windows Media Player\wmpnetwk.exe [2192] 000007fefe460000 Library ? (*** suspicious ***) @ C:\Windows\System32\svchost.exe [732] 000007fefe360000 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 470 ---- EOF - GMER 2.0 ----