GMER 2.1.19115 - http://www.gmer.net Rootkit scan 2013-03-04 08:52:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: 9z6vy7pm.exe; Driver: C:\Users\Dawid\AppData\Local\Temp\awldikob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88005512d64 12 bytes {MOV RAX, 0xfffffa80069812a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88d1ee90} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88d1e890} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88d1e590} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88d1e090} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88d1db90} .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\wininit.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\wininit.exe[600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88d1ee90} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88d1e890} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88d1e590} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88d1e090} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88d1db90} .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88c6ee90} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88c6e890} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88c6e590} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88c6e090} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88c6db90} .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\lsass.exe[684] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\lsm.exe[692] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\svchost.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\svchost.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\atiesrxx.exe[936] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\winlogon.exe[984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88c6ee90} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88c6e890} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88c6e590} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88c6e090} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88c6db90} .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88c6ee90} .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88c6e890} .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88c6e590} .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88c6e090} .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88c6db90} .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[504] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\svchost.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\svchost.exe[508] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\svchost.exe[1100] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\svchost.exe[1196] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\atieclxx.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88c6ee90} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88c6e890} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88c6e590} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88c6e090} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88c6db90} .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\svchost.exe[1596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe[1728] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files (x86)\Launch Manager\dsiwmis.exe[1808] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Program Files\Packard Bell\Packard Bell Power Management\ePowerSvc.exe[1832] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\svchost.exe[1856] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1880] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1920] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1960] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f81465 2 bytes [F8, 74] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[1960] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f814bb 2 bytes [F8, 74] .text ... * 2 .text C:\Program Files (x86)\Synaptics\Scrybe\Service\ScrybeUpdater.exe[2008] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files (x86)\Microsoft\BingBar\SeaPort.EXE[1668] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1984] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe[1888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Windows\SysWOW64\vmnat.exe[1308] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88c6ee90} .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88c6e890} .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88c6e590} .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88c6e090} .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88c6db90} .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[2080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100070280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2112] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[2188] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f81465 2 bytes [F8, 74] .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[2188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f814bb 2 bytes [F8, 74] .text ... * 2 .text C:\Windows\SysWOW64\vmnetdhcp.exe[2360] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\taskhost.exe[2868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\Dwm.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88c6ee90} .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88c6e890} .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88c6e590} .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88c6e090} .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88c6db90} .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\taskeng.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\Explorer.EXE[3032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\Explorer.EXE[3032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[2976] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f81465 2 bytes [F8, 74] .text C:\Program Files (x86)\Google\Update\GoogleUpdate.exe[2976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f814bb 2 bytes [F8, 74] .text ... * 2 .text C:\ProgramData\DatacardService\DCSHelper.exe[3088] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100070440 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100070430 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100070450 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88c6ee90} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001000703b0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100070320 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100070380 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001000702e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100070410 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001000702d0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100070310 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100070390 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001000703c0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100070230 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88c6e890} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100070460 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100070370 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001000702f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100070350 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100070290 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001000702b0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001000703a0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100070330 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88c6e590} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001000703e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100070240 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001000701e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100070250 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88c6e090} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100070470 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100070480 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100070300 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100070360 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001000702a0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001000702c0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100070340 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100070420 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100070260 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100070270 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001000703d0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88c6db90} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001000701f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100070210 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100070200 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001000703f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100070400 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100070220 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100070280 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[3512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3688] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\SearchIndexer.exe[3840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3ae0 6 bytes {NOP ; JMP 0xffffffff88edcc7c} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773d7a90 6 bytes {NOP ; JMP 0xffffffff88ed8914} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100210440 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100210430 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077401490 6 bytes {NOP ; JMP 0xffffffff88eaf684} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774014f0 6 bytes {NOP ; JMP 0xffffffff88eaf9dc} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100210450 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88e0ee90} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 6 bytes {NOP ; JMP 0xffffffff88eb006c} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100210320 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100210380 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001002102e0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100210410 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001002102d0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100210310 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100210390 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077401810 6 bytes {NOP ; JMP 0xffffffff88eafa74} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001002103c0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100210230 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88e0e890} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100210460 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100210370 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001002102f0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100210350 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100210290 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001002102b0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001002103a0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100210330 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88e0e590} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001002103e0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100210240 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001002101e0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100210250 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88e0e090} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100210470 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100210480 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100210300 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100210360 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001002102a0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001002102c0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100210340 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100210420 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100210260 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100210270 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001002103d0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88e0db90} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001002101f0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100210210 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100210200 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001002103f0 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100210400 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100210220 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100210280 .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdeb6e00 6 bytes {NOP ; JMP 0xffffffff8001afac} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdeb6f2c 6 bytes {NOP ; JMP 0xffffffff80019fa0} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdeb7220 6 bytes {NOP ; JMP 0xffffffff8001a064} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdeb739c 6 bytes {NOP ; JMP 0xffffffff8001a2a0} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdeb7538 6 bytes {NOP ; JMP 0xffffffff8001a4bc} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdeb75e8 6 bytes {NOP ; JMP 0xffffffff80018dbc} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdeb790c 6 bytes {NOP ; JMP 0xffffffff80018e50} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdeb7ab4 6 bytes {NOP ; JMP 0xffffffff80019060} .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007feff564ed0 9 bytes [68, 78, 03, 8B, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefbf05c54 7 bytes [68, 08, 03, 8B, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefbf05c64 9 bytes [68, 40, 03, 8B, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4688] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007fefe0d17a0 9 bytes [68, B0, 03, 8B, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_A 00000000773cf548 7 bytes JMP 0000000102950570 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3ae0 6 bytes {NOP ; JMP 0xffffffff8903cc7c} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773d7a90 6 bytes {NOP ; JMP 0xffffffff89038914} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_W 00000000773db0ac 7 bytes JMP 00000001029505a8 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100210440 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100210430 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077401490 6 bytes {NOP ; JMP 0xffffffff8900f684} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774014f0 6 bytes {NOP ; JMP 0xffffffff8900f9dc} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100210450 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88e0ee90} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 6 bytes {NOP ; JMP 0xffffffff8901006c} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100210320 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100210380 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001002102e0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100210410 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001002102d0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100210310 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100210390 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077401810 6 bytes {NOP ; JMP 0xffffffff8900fa74} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001002103c0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100210230 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88e0e890} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100210460 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100210370 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001002102f0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100210350 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100210290 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001002102b0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001002103a0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100210330 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88e0e590} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001002103e0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100210240 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001002101e0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100210250 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88e0e090} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100210470 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100210480 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100210300 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100210360 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001002102a0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001002102c0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100210340 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100210420 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100210260 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100210270 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001002103d0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88e0db90} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001002101f0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100210210 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100210200 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001002103f0 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100210400 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100210220 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100210280 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\system32\KERNEL32.dll!CreateThread 0000000076de6580 9 bytes JMP 00000001029504c8 .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdeb6e00 6 bytes {NOP ; JMP 0xffffffff8001afac} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdeb6f2c 6 bytes {NOP ; JMP 0xffffffff80019fa0} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdeb7220 6 bytes {NOP ; JMP 0xffffffff8001a064} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdeb739c 6 bytes {NOP ; JMP 0xffffffff8001a2a0} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdeb7538 6 bytes {NOP ; JMP 0xffffffff8001a4bc} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdeb75e8 6 bytes {NOP ; JMP 0xffffffff80018dbc} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdeb790c 6 bytes {NOP ; JMP 0xffffffff80018e50} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdeb7ab4 6 bytes {NOP ; JMP 0xffffffff80019060} .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\system32\ole32.dll!OleLoadFromStream 000007fefe2b75f0 7 bytes [68, E0, 05, 95, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007feff501180 10 bytes [68, C0, 06, 95, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007feff501320 7 bytes [68, 50, 06, 95, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007feff504450 6 bytes [68, 18, 06, 95, 02, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007feff506720 10 bytes [68, 88, 06, 95, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007feff564ed0 9 bytes [68, 78, 03, 95, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefbf05c54 7 bytes [68, 08, 03, 95, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefbf05c64 9 bytes [68, 40, 03, 95, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[4892] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007fefe0d17a0 9 bytes [68, B0, 03, 95, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_A 00000000773cf548 7 bytes JMP 0000000103070570 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3ae0 6 bytes {NOP ; JMP 0xffffffff8914cc7c} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773d7a90 6 bytes {NOP ; JMP 0xffffffff89148914} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_W 00000000773db0ac 7 bytes JMP 00000001030705a8 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077401490 6 bytes {NOP ; JMP 0xffffffff8911f684} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774014f0 6 bytes {NOP ; JMP 0xffffffff8911f9dc} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 6 bytes {NOP ; JMP 0xffffffff8912006c} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077401810 6 bytes {NOP ; JMP 0xffffffff8911fa74} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\system32\KERNEL32.dll!CreateThread 0000000076de6580 9 bytes JMP 00000001030704c8 .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdeb6e00 6 bytes {NOP ; JMP 0xffffffff8001afac} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdeb6f2c 6 bytes {NOP ; JMP 0xffffffff80019fa0} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdeb7220 6 bytes {NOP ; JMP 0xffffffff8001a064} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdeb739c 6 bytes {NOP ; JMP 0xffffffff8001a2a0} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdeb7538 6 bytes {NOP ; JMP 0xffffffff8001a4bc} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdeb75e8 6 bytes {NOP ; JMP 0xffffffff80018dbc} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdeb790c 6 bytes {NOP ; JMP 0xffffffff80018e50} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdeb7ab4 6 bytes {NOP ; JMP 0xffffffff80019060} .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\system32\ole32.dll!OleLoadFromStream 000007fefe2b75f0 7 bytes [68, E0, 05, 07, 03, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007feff501180 10 bytes [68, C0, 06, 07, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007feff501320 7 bytes [68, 50, 06, 07, 03, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007feff504450 6 bytes [68, 18, 06, 07, 03, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007feff506720 10 bytes [68, 88, 06, 07, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007feff564ed0 9 bytes [68, 78, 03, 07, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefbf05c54 7 bytes [68, 08, 03, 07, 03, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefbf05c64 9 bytes [68, 40, 03, 07, 03, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[376] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007fefe0d17a0 9 bytes [68, B0, 03, 07, 03, C3, CC, ...] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000775afaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000775afb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000775b0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000775cc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000768c5181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000768c5254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768c53d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768c54c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768c55e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000768c567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000768c589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000768c5a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074faee09 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074fb3982 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074fb7603 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074fb835c 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4228] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074fcf52b 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000775afaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000775afb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000775afc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000775b0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000775cc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775d1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000768c5181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000768c5254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000768c53d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000768c54c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000768c55e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000768c567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000768c589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000768c5a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074faee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074fb3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074fb7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074fb835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4368] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074fcf52b 5 bytes JMP 0000000100250a08 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_A 00000000773cf548 7 bytes JMP 0000000102e00570 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3ae0 6 bytes {NOP ; JMP 0xffffffff88ffcc7c} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773d7a90 6 bytes {NOP ; JMP 0xffffffff88ff8914} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtdllDefWindowProc_W 00000000773db0ac 7 bytes JMP 0000000102e005a8 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000100210440 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000100210430 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077401490 6 bytes {NOP ; JMP 0xffffffff88fcf684} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774014f0 6 bytes {NOP ; JMP 0xffffffff88fcf9dc} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000100210450 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0xffffffff88e0ee90} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 6 bytes {NOP ; JMP 0xffffffff88fd006c} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000100210320 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000100210380 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000001002102e0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000100210410 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000001002102d0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000100210310 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000100210390 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077401810 6 bytes {NOP ; JMP 0xffffffff88fcfa74} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000001002103c0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000100210230 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0xffffffff88e0e890} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000100210460 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000100210370 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000001002102f0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000100210350 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000100210290 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000001002102b0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000001002103a0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000100210330 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0xffffffff88e0e590} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000001002103e0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000100210240 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000001002101e0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000100210250 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0xffffffff88e0e090} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000100210470 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000100210480 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000100210300 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000100210360 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000001002102a0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000001002102c0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000100210340 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000100210420 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000100210260 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000100210270 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000001002103d0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0xffffffff88e0db90} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000001002101f0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000100210210 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000100210200 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000001002103f0 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000100210400 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000100210220 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000100210280 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\system32\KERNEL32.dll!CreateThread 0000000076de6580 9 bytes JMP 0000000102e004c8 .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdeb6e00 6 bytes {NOP ; JMP 0xffffffff8001afac} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdeb6f2c 6 bytes {NOP ; JMP 0xffffffff80019fa0} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdeb7220 6 bytes {NOP ; JMP 0xffffffff8001a064} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdeb739c 6 bytes {NOP ; JMP 0xffffffff8001a2a0} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdeb7538 6 bytes {NOP ; JMP 0xffffffff8001a4bc} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdeb75e8 6 bytes {NOP ; JMP 0xffffffff80018dbc} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdeb790c 6 bytes {NOP ; JMP 0xffffffff80018e50} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdeb7ab4 6 bytes {NOP ; JMP 0xffffffff80019060} .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\system32\ole32.dll!OleLoadFromStream 000007fefe2b75f0 7 bytes [68, E0, 05, E0, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\system32\OLEAUT32.dll!VariantClear 000007feff501180 10 bytes [68, C0, 06, E0, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\system32\OLEAUT32.dll!SysFreeString 000007feff501320 7 bytes [68, 50, 06, E0, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\system32\OLEAUT32.dll!SysAllocStringByteLen 000007feff504450 6 bytes [68, 18, 06, E0, 02, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\system32\OLEAUT32.dll!VariantChangeType 000007feff506720 10 bytes [68, 88, 06, E0, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\system32\OLEAUT32.dll!OleCreatePropertyFrameIndirect 000007feff564ed0 9 bytes [68, 78, 03, E0, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheetW 000007fefbf05c54 7 bytes [68, 08, 03, E0, 02, C3, CC] .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll!PropertySheet 000007fefbf05c64 9 bytes [68, 40, 03, E0, 02, C3, CC, ...] .text C:\Program Files\Internet Explorer\iexplore.exe[2108] C:\Windows\system32\comdlg32.dll!PageSetupDlgW 000007fefe0d17a0 9 bytes [68, B0, 03, E0, 02, C3, CC, ...] .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773d3ae0 5 bytes JMP 00000001002e075c .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773d7a90 5 bytes JMP 00000001002e03a4 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077401490 5 bytes JMP 00000001002e0b14 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000774014f0 5 bytes JMP 00000001002e0ecc .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000001002e163c .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077401810 5 bytes JMP 00000001002e1284 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdeb6e00 5 bytes JMP 000007ff7ded1dac .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdeb6f2c 5 bytes JMP 000007ff7ded0ecc .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdeb7220 5 bytes JMP 000007ff7ded1284 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdeb739c 5 bytes JMP 000007ff7ded163c .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdeb7538 5 bytes JMP 000007ff7ded19f4 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdeb75e8 5 bytes JMP 000007ff7ded03a4 .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdeb790c 5 bytes JMP 000007ff7ded075c .text C:\Program Files\TortoiseSVN\bin\TSVNCache.exe[4952] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdeb7ab4 5 bytes JMP 000007ff7ded0b14 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000774013c0 5 bytes JMP 0000000077560440 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077401410 5 bytes JMP 0000000077560430 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000774015c0 1 byte JMP 0000000077560450 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000774015c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000774015d0 5 bytes JMP 00000000775603b0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077401680 5 bytes JMP 0000000077560320 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000774016b0 5 bytes JMP 0000000077560380 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077401710 5 bytes JMP 00000000775602e0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077401760 5 bytes JMP 0000000077560410 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077401790 5 bytes JMP 00000000775602d0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000774017b0 5 bytes JMP 0000000077560310 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000774017f0 5 bytes JMP 0000000077560390 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077401840 5 bytes JMP 00000000775603c0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000774019a0 1 byte JMP 0000000077560230 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000774019a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077401b60 5 bytes JMP 0000000077560460 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077401b90 5 bytes JMP 0000000077560370 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077401c70 5 bytes JMP 00000000775602f0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077401c80 5 bytes JMP 0000000077560350 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077401ce0 5 bytes JMP 0000000077560290 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077401d70 5 bytes JMP 00000000775602b0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077401d90 5 bytes JMP 00000000775603a0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077401da0 1 byte JMP 0000000077560330 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077401da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077401e10 5 bytes JMP 00000000775603e0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077401e40 5 bytes JMP 0000000077560240 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077402100 5 bytes JMP 00000000775601e0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000774021c0 1 byte JMP 0000000077560250 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000774021c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000774021f0 5 bytes JMP 0000000077560470 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077402200 5 bytes JMP 0000000077560480 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077402230 5 bytes JMP 0000000077560300 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077402240 5 bytes JMP 0000000077560360 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000774022a0 5 bytes JMP 00000000775602a0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000774022f0 5 bytes JMP 00000000775602c0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077402330 5 bytes JMP 0000000077560340 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077402620 5 bytes JMP 0000000077560420 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077402820 5 bytes JMP 0000000077560260 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077402830 5 bytes JMP 0000000077560270 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077402840 1 byte JMP 00000000775603d0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077402842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077402a00 5 bytes JMP 00000000775601f0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077402a10 5 bytes JMP 0000000077560210 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077402a80 5 bytes JMP 0000000077560200 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077402ae0 5 bytes JMP 00000000775603f0 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077402af0 5 bytes JMP 0000000077560400 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077402b00 5 bytes JMP 0000000077560220 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077402be0 5 bytes JMP 0000000077560280 .text C:\Windows\system32\AUDIODG.EXE[2520] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076e2eecd 1 byte [62] .text C:\Users\Dawid\Downloads\9z6vy7pm.exe[2904] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007631a30a 1 byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010790c0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff88001078e4c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff88001079838] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff88001078600] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff88001079a8c] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa8003f412c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa80069862c0 Device \Driver\cdrom \Device\CdRom0 fffffa80067842c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{98CC8A7A-F26D-4341-BF9E-492078F3E21D} fffffa80068652c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa80069862c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{620D5B37-9FCA-4E84-853F-61BEDC328076} fffffa80068652c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa80069862c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa80068652c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa80069862c0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0x2B 0xA2 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0x2B 0xA2 0x5F ... Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet004\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0x2B 0xA2 0x5F ... ---- EOF - GMER 2.1 ----