GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-01 15:46:23 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: jgxuwcz1.exe; Driver: C:\Users\Dom\AppData\Local\Temp\uxriqpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000149d30440 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000149d30430 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000149d30450 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 0000000149d303b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000149d30320 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000149d30380 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 0000000149d302e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000149d30410 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 0000000149d302d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000149d30310 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000149d30390 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 0000000149d303c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000149d30230 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000149d30460 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000149d30370 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 0000000149d302f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000149d30350 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000149d30290 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 0000000149d302b0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 0000000149d303a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000149d30330 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 0000000149d303e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000149d30240 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 0000000149d301e0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000149d30250 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000149d30470 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000149d30480 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000149d30300 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000149d30360 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 0000000149d302a0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 0000000149d302c0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000149d30340 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000149d30420 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000149d30260 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000149d30270 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 0000000149d303d0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 0000000149d301f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000149d30210 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000149d30200 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 0000000149d303f0 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000149d30400 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000149d30220 .text C:\Windows\system32\csrss.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000149d30280 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\wininit.exe[572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\wininit.exe[572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000149d30440 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000149d30430 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000149d30450 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 0000000149d303b0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000149d30320 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000149d30380 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 0000000149d302e0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000149d30410 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 0000000149d302d0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000149d30310 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000149d30390 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 0000000149d303c0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000149d30230 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000149d30460 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000149d30370 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 0000000149d302f0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000149d30350 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000149d30290 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 0000000149d302b0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 0000000149d303a0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000149d30330 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 0000000149d303e0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000149d30240 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 0000000149d301e0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000149d30250 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000149d30470 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000149d30480 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000149d30300 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000149d30360 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 0000000149d302a0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 0000000149d302c0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000149d30340 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000149d30420 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000149d30260 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000149d30270 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 0000000149d303d0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 0000000149d301f0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000149d30210 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000149d30200 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 0000000149d303f0 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000149d30400 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000149d30220 .text C:\Windows\system32\csrss.exe[592] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000149d30280 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\services.exe[628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\services.exe[628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\lsass.exe[652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\lsass.exe[652] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\lsm.exe[660] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\svchost.exe[764] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\winlogon.exe[840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\svchost.exe[900] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\System32\svchost.exe[980] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\System32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\System32\svchost.exe[292] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\System32\svchost.exe[292] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\AUDIODG.EXE[712] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[1028] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[1108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\taskeng.exe[1424] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000100070440 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000100070430 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000100070450 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000100070320 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000100070380 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000100070410 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000100070310 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000100070390 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000100070230 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000100070460 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000100070370 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000100070350 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000100070290 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000100070330 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000100070240 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000100070250 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000100070470 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000100070480 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000100070300 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000100070360 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000100070340 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000100070420 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000100070260 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000100070270 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000001000703d0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000100070210 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000100070200 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000100070400 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000100070220 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000100070280 .text C:\Windows\System32\spoolsv.exe[1432] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[1468] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000100070440 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000100070430 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000100070450 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000100070320 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000100070380 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000100070410 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000100070310 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000100070390 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000100070230 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000100070460 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000100070370 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000100070350 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000100070290 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000100070330 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000100070250 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000100070470 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000100070480 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000100070420 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000100070400 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\Dwm.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000100070280 .text C:\Windows\SysWOW64\svchost.exe[1956] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007709b0c5 1 byte [62] .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\Explorer.EXE[2020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\Explorer.EXE[2020] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\taskeng.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[1220] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\System32\svchost.exe[1916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000000775403b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 0000000077540310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2060] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Program Files (x86)\Samsung\Easy Display Manager\dmhkcore.exe[2208] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007709b0c5 1 byte [62] .text C:\Program Files (x86)\Samsung\Samsung Recovery Solution 4\WCScheduler.exe[2216] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007709b0c5 1 byte [62] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2604] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007760f962 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2604] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007709b0c5 1 byte [62] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2604] C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll!getJit + 32 000000006ae39380 4 bytes [C8, 10, 01, 10] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075bd1465 2 bytes [BD, 75] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2604] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075bd14bb 2 bytes [BD, 75] .text ... * 2 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773b2c90 5 bytes JMP 00000001001b075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773c4420 5 bytes JMP 00000001001b03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773df830 5 bytes JMP 00000001001b0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773df890 5 bytes JMP 00000001001b0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000001001b163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 00000001001b19f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773dfbb0 5 bytes JMP 00000001001b1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[1296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3088] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007709b0c5 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773b2c90 5 bytes JMP 000000010013075c .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773c4420 5 bytes JMP 00000001001303a4 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773df830 5 bytes JMP 0000000100130b14 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773df890 5 bytes JMP 0000000100130ecc .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 000000010013163c .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 00000001001319f4 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773dfbb0 5 bytes JMP 0000000100131284 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff056e00 5 bytes JMP 000007ff7f071dac .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff056f2c 5 bytes JMP 000007ff7f070ecc .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff057220 5 bytes JMP 000007ff7f071284 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff05739c 5 bytes JMP 000007ff7f07163c .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff057538 5 bytes JMP 000007ff7f0719f4 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0575e8 5 bytes JMP 000007ff7f0703a4 .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff05790c 5 bytes JMP 000007ff7f07075c .text C:\Windows\system32\SearchIndexer.exe[3800] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff057ab4 5 bytes JMP 000007ff7f070b14 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773b2c90 5 bytes JMP 000000010010075c .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773c4420 5 bytes JMP 00000001001003a4 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773df830 5 bytes JMP 0000000100100b14 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773df890 5 bytes JMP 0000000100100ecc .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 000000010010163c .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 00000001001019f4 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773dfbb0 5 bytes JMP 0000000100101284 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff056e00 5 bytes JMP 000007ff7f071dac .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff056f2c 5 bytes JMP 000007ff7f070ecc .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff057220 5 bytes JMP 000007ff7f071284 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff05739c 5 bytes JMP 000007ff7f07163c .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff057538 5 bytes JMP 000007ff7f0719f4 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0575e8 5 bytes JMP 000007ff7f0703a4 .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff05790c 5 bytes JMP 000007ff7f07075c .text C:\Windows\system32\svchost.exe[3084] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff057ab4 5 bytes JMP 000007ff7f070b14 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773b2c90 5 bytes JMP 000000010027075c .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773c4420 5 bytes JMP 00000001002703a4 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773df830 5 bytes JMP 0000000100270b14 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773df890 5 bytes JMP 0000000100270ecc .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 000000010027163c .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 00000001002719f4 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773dfbb0 5 bytes JMP 0000000100271284 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff056e00 5 bytes JMP 000007ff7f071dac .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff056f2c 5 bytes JMP 000007ff7f070ecc .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff057220 5 bytes JMP 000007ff7f071284 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff05739c 5 bytes JMP 000007ff7f07163c .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff057538 5 bytes JMP 000007ff7f0719f4 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0575e8 5 bytes JMP 000007ff7f0703a4 .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff05790c 5 bytes JMP 000007ff7f07075c .text C:\Windows\System32\alg.exe[3432] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff057ab4 5 bytes JMP 000007ff7f070b14 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773b2c90 5 bytes JMP 000000010039075c .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773c4420 5 bytes JMP 00000001003903a4 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773df830 5 bytes JMP 0000000100390b14 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773df890 5 bytes JMP 0000000100390ecc .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 000000010039163c .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 00000001003919f4 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773dfbb0 5 bytes JMP 0000000100391284 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff056e00 5 bytes JMP 000007ff7f071dac .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff056f2c 5 bytes JMP 000007ff7f070ecc .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff057220 5 bytes JMP 000007ff7f071284 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff05739c 5 bytes JMP 000007ff7f07163c .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff057538 5 bytes JMP 000007ff7f0719f4 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0575e8 5 bytes JMP 000007ff7f0703a4 .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff05790c 5 bytes JMP 000007ff7f07075c .text C:\Windows\servicing\TrustedInstaller.exe[3284] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff057ab4 5 bytes JMP 000007ff7f070b14 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773b2c90 5 bytes JMP 00000001003a075c .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773c4420 5 bytes JMP 00000001003a03a4 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773df830 5 bytes JMP 00000001003a0b14 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773df890 5 bytes JMP 00000001003a0ecc .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000001003a163c .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 00000001003a19f4 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773dfbb0 5 bytes JMP 00000001003a1284 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\svchost.exe[384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771cf1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff056e00 5 bytes JMP 000007ff7f071dac .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff056f2c 5 bytes JMP 000007ff7f070ecc .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff057220 5 bytes JMP 000007ff7f071284 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff05739c 5 bytes JMP 000007ff7f07163c .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff057538 5 bytes JMP 000007ff7f0719f4 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0575e8 5 bytes JMP 000007ff7f0703a4 .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff05790c 5 bytes JMP 000007ff7f07075c .text C:\Windows\system32\svchost.exe[384] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff057ab4 5 bytes JMP 000007ff7f070b14 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773b2c90 5 bytes JMP 000000010052075c .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773c4420 5 bytes JMP 00000001005203a4 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773df830 5 bytes JMP 0000000100520b14 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773df890 5 bytes JMP 0000000100520ecc .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 000000010052163c .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 00000001005219f4 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773dfbb0 5 bytes JMP 0000000100521284 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff056e00 5 bytes JMP 000007ff7f071dac .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff056f2c 5 bytes JMP 000007ff7f070ecc .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff057220 5 bytes JMP 000007ff7f071284 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff05739c 5 bytes JMP 000007ff7f07163c .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff057538 5 bytes JMP 000007ff7f0719f4 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0575e8 5 bytes JMP 000007ff7f0703a4 .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff05790c 5 bytes JMP 000007ff7f07075c .text C:\Windows\system32\igfxext.exe[2304] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff057ab4 5 bytes JMP 000007ff7f070b14 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773b2c90 5 bytes JMP 000000010029075c .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773c4420 5 bytes JMP 00000001002903a4 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773df830 5 bytes JMP 0000000100290b14 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773df890 5 bytes JMP 0000000100290ecc .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 000000010029163c .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 00000001002919f4 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773dfbb0 5 bytes JMP 0000000100291284 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff056e00 5 bytes JMP 000007ff7f071dac .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff056f2c 5 bytes JMP 000007ff7f070ecc .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff057220 5 bytes JMP 000007ff7f071284 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff05739c 5 bytes JMP 000007ff7f07163c .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff057538 5 bytes JMP 000007ff7f0719f4 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0575e8 5 bytes JMP 000007ff7f0703a4 .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff05790c 5 bytes JMP 000007ff7f07075c .text C:\Windows\system32\igfxsrvc.exe[3000] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff057ab4 5 bytes JMP 000007ff7f070b14 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000773b2c90 5 bytes JMP 00000001003d075c .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000773c4420 5 bytes JMP 00000001003d03a4 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000773df760 5 bytes JMP 0000000077540440 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000773df7b0 5 bytes JMP 0000000077540430 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000773df830 5 bytes JMP 00000001003d0b14 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000773df890 5 bytes JMP 00000001003d0ecc .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000773df960 5 bytes JMP 0000000077540450 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000773df970 5 bytes JMP 00000001003d163c .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000773dfa20 5 bytes JMP 0000000077540320 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000773dfa50 5 bytes JMP 0000000077540380 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000773dfab0 5 bytes JMP 00000000775402e0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000773dfb00 5 bytes JMP 0000000077540410 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000773dfb30 5 bytes JMP 00000000775402d0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000773dfb50 5 bytes JMP 00000001003d19f4 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000773dfb90 5 bytes JMP 0000000077540390 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000773dfbb0 5 bytes JMP 00000001003d1284 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000773dfbe0 5 bytes JMP 00000000775403c0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000773dfd40 5 bytes JMP 0000000077540230 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000773dff00 5 bytes JMP 0000000077540460 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00000000773dff30 5 bytes JMP 0000000077540370 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000773e0010 5 bytes JMP 00000000775402f0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000773e0020 5 bytes JMP 0000000077540350 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000773e0080 5 bytes JMP 0000000077540290 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000773e0110 5 bytes JMP 00000000775402b0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000773e0130 5 bytes JMP 00000000775403a0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000773e0140 5 bytes JMP 0000000077540330 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000773e01b0 5 bytes JMP 00000000775403e0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000773e01e0 5 bytes JMP 0000000077540240 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000773e04a0 5 bytes JMP 00000000775401e0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000773e0560 5 bytes JMP 0000000077540250 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000773e0590 5 bytes JMP 0000000077540470 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000773e05a0 5 bytes JMP 0000000077540480 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000773e05d0 5 bytes JMP 0000000077540300 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000773e05e0 5 bytes JMP 0000000077540360 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000773e0640 5 bytes JMP 00000000775402a0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000773e0690 5 bytes JMP 00000000775402c0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000773e06d0 5 bytes JMP 0000000077540340 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000773e09c0 5 bytes JMP 0000000077540420 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000773e0bc0 5 bytes JMP 0000000077540260 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000773e0bd0 5 bytes JMP 0000000077540270 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000773e0be0 5 bytes JMP 00000000775403d0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000773e0da0 5 bytes JMP 00000000775401f0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000773e0db0 5 bytes JMP 0000000077540210 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000773e0e20 5 bytes JMP 0000000077540200 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00000000773e0e80 5 bytes JMP 00000000775403f0 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00000000773e0e90 5 bytes JMP 0000000077540400 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000773e0ea0 5 bytes JMP 0000000077540220 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000773e0f80 5 bytes JMP 0000000077540280 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff056e00 5 bytes JMP 000007ff7f071dac .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff056f2c 5 bytes JMP 000007ff7f070ecc .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff057220 5 bytes JMP 000007ff7f071284 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff05739c 5 bytes JMP 000007ff7f07163c .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff057538 5 bytes JMP 000007ff7f0719f4 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff0575e8 5 bytes JMP 000007ff7f0703a4 .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff05790c 5 bytes JMP 000007ff7f07075c .text C:\Windows\system32\sppsvc.exe[1388] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff057ab4 5 bytes JMP 000007ff7f070b14 .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007758fa50 5 bytes JMP 00000001001c0600 .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007758fae8 5 bytes JMP 00000001001c0804 .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007758fc40 5 bytes JMP 00000001001c0c0c .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007758ff34 5 bytes JMP 00000001001c0e10 .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007758ffc8 5 bytes JMP 00000001001c0a08 .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000775ac4aa 5 bytes JMP 00000001001c01f8 .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775b1247 5 bytes JMP 00000001001c03fc .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007709b0c5 1 byte [62] .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007536f0e6 5 bytes JMP 00000001002601f8 .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075373907 5 bytes JMP 00000001002603fc .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075378364 5 bytes JMP 0000000100260600 .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000753806b3 5 bytes JMP 0000000100260804 .text C:\Users\Dom\Desktop\fixitpc\jgxuwcz1.exe[2076] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075390efc 5 bytes JMP 0000000100260a08 ---- Processes - GMER 2.1 ---- Library C:\Users\Dom\AppData\Local\Temp\4aaa69a3-1fe2-4b2b-bf34-ae2629f6c797\CliSecureRT.dll (*** suspicious ***) @ C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe [2604](2013-08-29 20:12:31) 0000000010000000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7F 0x28 0xB6 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Users\Dom\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7F 0x28 0xB6 0x27 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Users\Dom\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----