GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-29 14:53:24 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HDS721010DLE630 rev.MS2OA5R0 931,51GB Running: mehynme4.exe; Driver: C:\Users\RAFA~1\AppData\Local\Temp\kwtdyaow.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff8000fbac000 45 bytes [43, 4D, 33, 31, 05, 00, 00, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff8000fbac02f 16 bytes [00, 00, 00, 00, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 00000001499b0460 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 00000001499b0450 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 00000001499b0370 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 00000001499b0470 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000001499b03e0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 00000001499b0320 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000001499b03b0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 00000001499b0390 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000001499b02e0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000001499b02d0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 00000001499b0310 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000001499b03c0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000001499b03f0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 00000001499b0230 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0xffffffffd25fe890} .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 00000001499b0480 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000001499b03a0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000001499b02f0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 00000001499b0350 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 00000001499b0290 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000001499b02b0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000001499b03d0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 00000001499b0330 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0xffffffffd25fe590} .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 00000001499b0410 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 00000001499b0240 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000001499b01e0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 00000001499b0250 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0xffffffffd25fe090} .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 00000001499b0490 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000001499b04a0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 00000001499b0300 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 00000001499b0360 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000001499b02a0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000001499b02c0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 00000001499b0380 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 00000001499b0340 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 00000001499b0440 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 00000001499b0260 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 00000001499b0270 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 00000001499b0400 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000001499b01f0 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 00000001499b0210 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 00000001499b0200 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 00000001499b0420 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 00000001499b0430 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 00000001499b0220 .text C:\windows\system32\csrss.exe[460] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 00000001499b0280 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\wininit.exe[520] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\wininit.exe[520] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 00000001499b0460 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 00000001499b0450 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 00000001499b0370 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 00000001499b0470 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000001499b03e0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 00000001499b0320 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000001499b03b0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 00000001499b0390 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000001499b02e0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000001499b02d0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 00000001499b0310 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000001499b03c0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000001499b03f0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 00000001499b0230 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0xffffffffd25fe890} .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 00000001499b0480 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000001499b03a0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000001499b02f0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 00000001499b0350 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 00000001499b0290 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000001499b02b0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000001499b03d0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 00000001499b0330 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0xffffffffd25fe590} .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 00000001499b0410 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 00000001499b0240 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000001499b01e0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 00000001499b0250 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0xffffffffd25fe090} .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 00000001499b0490 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000001499b04a0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 00000001499b0300 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 00000001499b0360 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000001499b02a0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000001499b02c0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 00000001499b0380 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 00000001499b0340 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 00000001499b0440 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 00000001499b0260 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 00000001499b0270 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 00000001499b0400 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000001499b01f0 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 00000001499b0210 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 00000001499b0200 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 00000001499b0420 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 00000001499b0430 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 00000001499b0220 .text C:\windows\system32\csrss.exe[548] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 00000001499b0280 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\services.exe[596] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\services.exe[596] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\lsass.exe[608] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000100070460 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000100070450 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000100070370 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000100070470 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000001000703e0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000100070320 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000001000703b0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000100070390 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000001000702e0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000001000702d0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000100070310 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000001000703c0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000001000703f0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000100070230 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0xffffffff88cbe890} .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000100070480 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000001000703a0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000001000702f0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000100070350 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000100070290 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000001000702b0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000001000703d0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000100070330 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0xffffffff88cbe590} .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000100070410 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000100070240 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000001000701e0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000100070250 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0xffffffff88cbe090} .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000100070490 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000001000704a0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000100070300 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000100070360 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000001000702a0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000001000702c0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000100070380 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000100070340 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000100070440 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000100070260 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000100070270 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000100070400 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000001000701f0 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000100070210 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000100070200 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000100070420 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000100070430 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000100070220 .text C:\windows\system32\lsm.exe[620] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000100070280 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\winlogon.exe[684] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\winlogon.exe[684] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\svchost.exe[772] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\svchost.exe[772] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\nvvsvc.exe[852] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\svchost.exe[892] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\System32\svchost.exe[968] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\System32\svchost.exe[968] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\System32\svchost.exe[1016] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\System32\svchost.exe[1016] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000100070460 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000100070450 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000100070370 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000100070470 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000001000703e0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000100070320 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000001000703b0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000100070390 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000001000702e0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000001000702d0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000100070310 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000001000703c0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000001000703f0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000100070230 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0xffffffff88cbe890} .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000100070480 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000001000703a0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000001000702f0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000100070350 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000100070290 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000001000702b0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000001000703d0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000100070330 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0xffffffff88cbe590} .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000100070410 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000100070240 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000001000701e0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000100070250 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0xffffffff88cbe090} .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000100070490 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000001000704a0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000100070300 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000100070360 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000001000702a0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000001000702c0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000100070380 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000100070340 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000100070440 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000100070260 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000100070270 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000100070400 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000001000701f0 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000100070210 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000100070200 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000100070420 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000100070430 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000100070220 .text C:\windows\system32\svchost.exe[416] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000100070280 .text C:\windows\system32\svchost.exe[416] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\svchost.exe[472] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\svchost.exe[472] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\Program Files\IDT\WDM\STacSV64.exe[572] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\AUDIODG.EXE[1120] C:\windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\svchost.exe[1360] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\svchost.exe[1360] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1456] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\nvvsvc.exe[1468] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\System32\spoolsv.exe[1736] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\svchost.exe[1784] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\svchost.exe[1784] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe[1864] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\taskhost.exe[1088] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\taskhost.exe[1088] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\Dwm.exe[1428] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\Explorer.EXE[1656] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\Explorer.EXE[1656] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\SysWOW64\ezSharedSvcHost.exe[2068] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe[2316] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[2324] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[2424] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[2424] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000000871465 2 bytes [87, 00] .text C:\Program Files (x86)\Epson Software\Event Manager\EEventManager.exe[2424] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000008714bb 2 bytes [87, 00] .text ... * 2 .text C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe[2456] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe[2456] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe[2456] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2504] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\PDF Complete\pdfsvc.exe[2692] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe[3000] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\svchost.exe[3056] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\svchost.exe[3056] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000000775103e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 0000000077510400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2200] C:\windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe[2360] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3428] C:\windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3428] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3428] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\windows\system32\svchost.exe[4076] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\windows\system32\svchost.exe[4076] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\windows\system32\svchost.exe[4076] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\windows\system32\svchost.exe[4076] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\windows\system32\svchost.exe[4076] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\windows\system32\svchost.exe[4076] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\windows\system32\svchost.exe[4076] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\windows\system32\svchost.exe[4076] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077383ae0 5 bytes JMP 000000010028075c .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077387a90 5 bytes JMP 00000001002803a4 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773b1490 5 bytes JMP 0000000100280b14 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773b14f0 5 bytes JMP 0000000100280ecc .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 000000010028163c .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773b1810 5 bytes JMP 0000000100281284 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 00000001002819f4 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\windows\system32\SearchIndexer.exe[1972] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077383ae0 5 bytes JMP 00000001001a075c .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077387a90 5 bytes JMP 00000001001a03a4 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773b1490 5 bytes JMP 00000001001a0b14 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773b14f0 5 bytes JMP 00000001001a0ecc .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 00000001001a163c .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773b1810 5 bytes JMP 00000001001a1284 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 00000001001a19f4 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\windows\system32\svchost.exe[4164] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\windows\System32\WUDFHost.exe[4256] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\windows\System32\WUDFHost.exe[4256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\windows\System32\WUDFHost.exe[4256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\windows\System32\WUDFHost.exe[4256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\windows\System32\WUDFHost.exe[4256] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\windows\System32\WUDFHost.exe[4256] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\windows\System32\WUDFHost.exe[4256] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\windows\System32\WUDFHost.exe[4256] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007645ee09 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076463982 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076467603 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007646835c 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 0000000100160a08 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe[740] C:\windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007645ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076463982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076467603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007646835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe[2000] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077383ae0 5 bytes JMP 000000010019075c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077387a90 5 bytes JMP 00000001001903a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773b1490 5 bytes JMP 0000000100190b14 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773b14f0 5 bytes JMP 0000000100190ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 000000010019163c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773b1810 5 bytes JMP 0000000100191284 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 00000001001919f4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007729eecd 1 byte [62] .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe[1532] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007645ee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076463982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076467603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007646835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1164] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 0000000100260a08 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077383ae0 5 bytes JMP 000000010026075c .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077387a90 5 bytes JMP 00000001002603a4 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773b13c0 5 bytes JMP 0000000077510460 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773b1410 5 bytes JMP 0000000077510450 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773b1490 5 bytes JMP 0000000100260b14 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773b14f0 5 bytes JMP 0000000100260ecc .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000773b1570 5 bytes JMP 0000000077510370 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773b15c0 5 bytes JMP 0000000077510470 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773b15d0 5 bytes JMP 000000010026163c .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773b1680 5 bytes JMP 0000000077510320 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773b16b0 5 bytes JMP 00000000775103b0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00000000773b16d0 5 bytes JMP 0000000077510390 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773b1710 5 bytes JMP 00000000775102e0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773b1790 5 bytes JMP 00000000775102d0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773b17b0 5 bytes JMP 0000000077510310 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773b17f0 5 bytes JMP 00000000775103c0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773b1810 5 bytes JMP 0000000100261284 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773b1840 5 bytes JMP 00000000775103f0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773b19a0 1 byte JMP 0000000077510230 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000773b19a2 3 bytes {JMP 0x15e890} .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773b1b60 5 bytes JMP 0000000077510480 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773b1b90 5 bytes JMP 00000000775103a0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773b1c70 5 bytes JMP 00000000775102f0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773b1c80 5 bytes JMP 0000000077510350 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773b1ce0 5 bytes JMP 0000000077510290 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773b1d70 5 bytes JMP 00000000775102b0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773b1d90 5 bytes JMP 00000000775103d0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773b1da0 1 byte JMP 0000000077510330 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000773b1da2 3 bytes {JMP 0x15e590} .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773b1e10 5 bytes JMP 0000000077510410 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773b1e40 5 bytes JMP 0000000077510240 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773b2100 5 bytes JMP 00000000775101e0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773b21c0 1 byte JMP 0000000077510250 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000773b21c2 3 bytes {JMP 0x15e090} .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773b21f0 5 bytes JMP 0000000077510490 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773b2200 5 bytes JMP 00000000775104a0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773b2230 5 bytes JMP 0000000077510300 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773b2240 5 bytes JMP 0000000077510360 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773b22a0 5 bytes JMP 00000000775102a0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773b22f0 5 bytes JMP 00000000775102c0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000773b2320 5 bytes JMP 0000000077510380 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773b2330 5 bytes JMP 0000000077510340 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773b2620 5 bytes JMP 0000000077510440 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773b2820 5 bytes JMP 0000000077510260 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773b2830 5 bytes JMP 0000000077510270 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773b2840 5 bytes JMP 00000001002619f4 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773b2a00 5 bytes JMP 00000000775101f0 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773b2a10 5 bytes JMP 0000000077510210 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773b2a80 5 bytes JMP 0000000077510200 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773b2ae0 5 bytes JMP 0000000077510420 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773b2af0 5 bytes JMP 0000000077510430 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773b2b00 5 bytes JMP 0000000077510220 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773b2be0 5 bytes JMP 0000000077510280 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\windows\System32\svchost.exe[1112] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\windows\system32\svchost.exe[4728] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\windows\system32\svchost.exe[4728] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\windows\system32\svchost.exe[4728] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\windows\system32\svchost.exe[4728] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\windows\system32\svchost.exe[4728] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\windows\system32\svchost.exe[4728] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\windows\system32\svchost.exe[4728] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\windows\system32\svchost.exe[4728] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 00000001000e0600 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 00000001000e0804 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 00000001000e0c0c .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 00000001000e0a08 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 00000001000e0e10 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001000e01f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001000e03fc .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 00000001000f1014 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 00000001000f0804 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 00000001000f0a08 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 00000001000f0c0c .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 00000001000f0e10 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 00000001000f01f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 00000001000f03fc .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 00000001000f0600 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007645ee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076463982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076467603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007646835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.362.0\SeaPort.exe[660] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007645ee09 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076463982 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076467603 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007646835c 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 00000001000b1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 00000001000b0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 00000001000b0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\WS2_32.dll!WSASend 0000000075d24406 6 bytes JMP 719d0f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\WS2_32.dll!WSALookupServiceNextW 0000000075d24cbc 6 bytes JMP 71a90f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\WS2_32.dll!WSALookupServiceEnd 0000000075d25239 6 bytes JMP 71a60f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000075d2575a 6 bytes JMP 71af0f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\WS2_32.dll!recv 0000000075d26b0e 6 bytes JMP 71a00f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\WS2_32.dll!send 0000000075d26f01 6 bytes JMP 71a30f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000075d27089 6 bytes JMP 719a0f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3052] C:\windows\syswow64\WS2_32.dll!WSAGetOverlappedResult 0000000075d27489 6 bytes JMP 71970f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007755f991 7 bytes {MOV EDX, 0xce3628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 0000000100d40600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 0000000100d40804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007755fbd5 7 bytes {MOV EDX, 0xce3668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007755fc05 7 bytes {MOV EDX, 0xce35a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007755fc1d 7 bytes {MOV EDX, 0xce3528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007755fc35 7 bytes {MOV EDX, 0xce3728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007755fc65 7 bytes {MOV EDX, 0xce3768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 0000000100d40c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007755fce5 7 bytes {MOV EDX, 0xce36e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007755fcfd 7 bytes {MOV EDX, 0xce36a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007755fd49 7 bytes {MOV EDX, 0xce3468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007755fe41 7 bytes {MOV EDX, 0xce34a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 0000000100d40a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077560099 7 bytes {MOV EDX, 0xce3428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775610a5 7 bytes {MOV EDX, 0xce35e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007756111d 7 bytes {MOV EDX, 0xce3568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077561321 7 bytes {MOV EDX, 0xce34e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 0000000100d40e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 0000000100d401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 0000000100d403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007645ee09 5 bytes JMP 0000000100e001f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076463982 5 bytes JMP 0000000100e003fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076467603 5 bytes JMP 0000000100e00804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007646835c 5 bytes JMP 0000000100e00600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 0000000100e00a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 0000000100e11014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 0000000100e10804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 0000000100e10a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 0000000100e10c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 0000000100e10e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 0000000100e101f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 0000000100e103fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 0000000100e10600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\WS2_32.dll!WSASend 0000000075d24406 6 bytes JMP 719d0f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\WS2_32.dll!WSALookupServiceNextW 0000000075d24cbc 6 bytes JMP 71a90f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\WS2_32.dll!WSALookupServiceEnd 0000000075d25239 6 bytes JMP 71a60f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\WS2_32.dll!WSALookupServiceBeginW 0000000075d2575a 6 bytes JMP 71af0f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\WS2_32.dll!recv 0000000075d26b0e 6 bytes JMP 71a00f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\WS2_32.dll!send 0000000075d26f01 6 bytes JMP 71a30f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\WS2_32.dll!WSARecv 0000000075d27089 6 bytes JMP 719a0f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1640] C:\windows\syswow64\WS2_32.dll!WSAGetOverlappedResult 0000000075d27489 6 bytes JMP 71970f5a .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007755f991 7 bytes {MOV EDX, 0x8a3228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 0000000100980600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 0000000100980804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007755fbd5 7 bytes {MOV EDX, 0x8a3268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007755fc05 7 bytes {MOV EDX, 0x8a31a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007755fc1d 7 bytes {MOV EDX, 0x8a3128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007755fc35 7 bytes {MOV EDX, 0x8a3328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007755fc65 7 bytes {MOV EDX, 0x8a3368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 0000000100980c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007755fce5 7 bytes {MOV EDX, 0x8a32e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007755fcfd 7 bytes {MOV EDX, 0x8a32a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007755fd49 7 bytes {MOV EDX, 0x8a3068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007755fe41 7 bytes {MOV EDX, 0x8a30a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 0000000100980a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077560099 7 bytes {MOV EDX, 0x8a3028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775610a5 7 bytes {MOV EDX, 0x8a31e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007756111d 7 bytes {MOV EDX, 0x8a3168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077561321 7 bytes {MOV EDX, 0x8a30e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 0000000100980e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001009801f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001009803fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007645ee09 5 bytes JMP 00000001009d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076463982 5 bytes JMP 00000001009d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076467603 5 bytes JMP 00000001009d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007646835c 5 bytes JMP 00000001009d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 00000001009d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 00000001009e1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 00000001009e0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 00000001009e0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 00000001009e0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 00000001009e0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 00000001009e01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 00000001009e03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 00000001009e0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4756] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007755f991 7 bytes {MOV EDX, 0x289228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 0000000100390600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 0000000100390804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007755fbd5 7 bytes {MOV EDX, 0x289268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007755fc05 7 bytes {MOV EDX, 0x2891a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007755fc1d 7 bytes {MOV EDX, 0x289128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007755fc35 7 bytes {MOV EDX, 0x289328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007755fc65 7 bytes {MOV EDX, 0x289368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 0000000100390c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007755fce5 7 bytes {MOV EDX, 0x2892e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007755fcfd 7 bytes {MOV EDX, 0x2892a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007755fd49 7 bytes {MOV EDX, 0x289068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007755fe41 7 bytes {MOV EDX, 0x2890a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 0000000100390a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077560099 7 bytes {MOV EDX, 0x289028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775610a5 7 bytes {MOV EDX, 0x2891e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007756111d 7 bytes {MOV EDX, 0x289168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077561321 7 bytes {MOV EDX, 0x2890e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 0000000100390e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001003901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001003903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007645ee09 5 bytes JMP 00000001003a01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076463982 5 bytes JMP 00000001003a03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076467603 5 bytes JMP 00000001003a0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007646835c 5 bytes JMP 00000001003a0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 00000001003a0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 00000001003b1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 00000001003b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 00000001003b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 00000001003b0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 00000001003b0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 00000001003b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 00000001003b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 00000001003b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000000541465 2 bytes [54, 00] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2956] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000005414bb 2 bytes [54, 00] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007755f991 7 bytes {MOV EDX, 0x177e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007755fbd5 7 bytes {MOV EDX, 0x177e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007755fc05 7 bytes {MOV EDX, 0x177da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007755fc1d 7 bytes {MOV EDX, 0x177d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007755fc35 7 bytes {MOV EDX, 0x177f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007755fc65 7 bytes {MOV EDX, 0x177f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007755fce5 7 bytes {MOV EDX, 0x177ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007755fcfd 7 bytes {MOV EDX, 0x177ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007755fd49 7 bytes {MOV EDX, 0x177c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007755fe41 7 bytes {MOV EDX, 0x177ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077560099 7 bytes {MOV EDX, 0x177c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000775610a5 7 bytes {MOV EDX, 0x177de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007756111d 7 bytes {MOV EDX, 0x177d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077561321 7 bytes {MOV EDX, 0x177ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\syswow64\USER32.dll!SetWinEventHook 000000007645ee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\syswow64\USER32.dll!UnhookWinEvent 0000000076463982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076467603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\syswow64\USER32.dll!SetWindowsHookExA 000000007646835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 00000001001f1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 00000001001f0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 00000001001f0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 00000001001f0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 00000001001f0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 00000001001f01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 00000001001f03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 00000001001f0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077511465 2 bytes [51, 77] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2952] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000775114bb 2 bytes [51, 77] .text ... * 2 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075d75181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075d75254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075d753d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075d754c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075d755e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\sechost.dll!CreateServiceA 0000000075d7567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\sechost.dll!CreateServiceW 0000000075d7589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\SysWOW64\sechost.dll!DeleteService 0000000075d75a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000000251465 2 bytes [25, 00] .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000002514bb 2 bytes [25, 00] .text ... * 2 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\syswow64\user32.DLL!SetWinEventHook 000000007645ee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\syswow64\user32.DLL!UnhookWinEvent 0000000076463982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\syswow64\user32.DLL!SetWindowsHookExW 0000000076467603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\syswow64\user32.DLL!SetWindowsHookExA 000000007646835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe[6108] C:\windows\syswow64\user32.DLL!UnhookWindowsHookEx 000000007647f52b 5 bytes JMP 0000000100260a08 .text C:\windows\system32\wbem\unsecapp.exe[5264] C:\windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefec66e00 5 bytes JMP 000007ff7ec81dac .text C:\windows\system32\wbem\unsecapp.exe[5264] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefec66f2c 5 bytes JMP 000007ff7ec80ecc .text C:\windows\system32\wbem\unsecapp.exe[5264] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefec67220 5 bytes JMP 000007ff7ec81284 .text C:\windows\system32\wbem\unsecapp.exe[5264] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefec6739c 5 bytes JMP 000007ff7ec8163c .text C:\windows\system32\wbem\unsecapp.exe[5264] C:\windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefec67538 5 bytes JMP 000007ff7ec819f4 .text C:\windows\system32\wbem\unsecapp.exe[5264] C:\windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefec675e8 5 bytes JMP 000007ff7ec803a4 .text C:\windows\system32\wbem\unsecapp.exe[5264] C:\windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefec6790c 5 bytes JMP 000007ff7ec8075c .text C:\windows\system32\wbem\unsecapp.exe[5264] C:\windows\SYSTEM32\sechost.dll!DeleteService 000007fefec67ab4 5 bytes JMP 000007ff7ec80b14 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe[4468] C:\windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007755faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe[4468] C:\windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007755fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe[4468] C:\windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007755fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe[4468] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077560018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe[4468] C:\windows\SysWOW64\ntdll.dll!NtSetContextThread 0000000077561900 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe[4468] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007757c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe[4468] C:\windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077581217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe[4468] C:\windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007689a30a 1 byte [62] .text C:\Users\Rafa 000000007755faa0 5 bytes JMP 0000000100030600 .text C:\Users\Rafa 000000007755fb38 5 bytes JMP 0000000100030804 .text + 112 000000007689a30a 1 byte [62] .text C:\Users\Rafa 0000000075d75181 5 bytes JMP 00000001001d1014 .text C:\Users\Rafa 0000000075d75254 5 bytes JMP 00000001001d0804 .text C:\Users\Rafa 000000007645ee09 5 bytes JMP 00000001001e01f8 .text C:\Users\Rafa 0000000076463982 5 bytes JMP 00000001001e03fc ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4720:4960] 000007fefea50168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4720:4980] 000007fefb5a2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4720:3664] 000007fef60d5124 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----