GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-15 20:38:30 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: gmer.exe; Driver: C:\Users\MARCIN\AppData\Local\Temp\pxdiypog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0xffffffff88a90590} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000001001204b0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0xffffffff88a8fa90} .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\wininit.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\wininit.exe[520] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 0000000100120490 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0xffffffff88a90590} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000001001204a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000001001204b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0xffffffff88a8fa90} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 0000000100120280 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\services.exe[580] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\services.exe[580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\lsass.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\lsass.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\lsm.exe[600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\winlogon.exe[688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\svchost.exe[752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\svchost.exe[752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\System32\svchost.exe[904] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\System32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\System32\svchost.exe[964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\svchost.exe[1156] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000000777f03e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000000777f0400 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010024075c .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001002403a4 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100240b14 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100240ecc .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010024163c .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100241284 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001002419f4 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\System32\spoolsv.exe[1720] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100030600 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100030804 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100030c0c .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100030a08 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100030e10 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 00000001000301f8 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001000303fc .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001001101f8 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001001103fc .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100110600 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100110804 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100110a08 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100121014 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100120804 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100120a08 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100120c0c .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100120e10 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001001201f8 .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001001203fc .text C:\Windows\Common Files (x86)\Adobe\ARM\1.0\armsvc.exe[1808] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100120600 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 00000001002c075c .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001002c03a4 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 00000001002c0b14 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 00000001002c0ecc .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000001002c163c .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 00000001002c1284 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001002c19f4 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\svchost.exe[1920] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100170600 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100170804 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100170c0c .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100170a08 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100170e10 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 00000001001701f8 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001001703fc .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001001801f8 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001001803fc .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100180600 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100180804 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100180a08 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100191014 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100190804 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100190a08 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100190c0c .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100190e10 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001001901f8 .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001001903fc .text C:\Windows\SysWOW64\srvany.exe[1956] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100190600 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010046075c .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001004603a4 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100460b14 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100460ecc .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010046163c .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100461284 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 0000000100070490 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0xffffffff889e0590} .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000001000704a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000001000704b0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0xffffffff889dfa90} .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001004619f4 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\svchost.exe[1248] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 3 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll + 4 000000007785c4ae 1 byte [88] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100120a08 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100131014 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100130804 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100130a08 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100130c0c .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100130e10 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001001301f8 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001001303fc .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\ToolbarUpdater.exe[1420] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100130600 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 00000001001a075c .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001001a03a4 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 00000001001a0b14 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 00000001001a0ecc .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000001001a163c .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 00000001001a1284 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001001a19f4 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\System32\svchost.exe[1804] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010011075c .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001001103a4 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100110b14 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100110ecc .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010011163c .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100111284 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001001119f4 .text C:\Windows\system32\svchost.exe[536] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 00000001001c0600 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 00000001001c0804 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 00000001001c0c0c .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 00000001001c0a08 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 00000001001c0e10 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 00000001001c01f8 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001001c03fc .text C:\Windows\KMService.exe[2080] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 00000001001d1014 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 00000001001d0804 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 00000001001d0a08 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 00000001001d0c0c .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 00000001001d0e10 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001001d01f8 .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001001d03fc .text C:\Windows\KMService.exe[2080] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 00000001001d0600 .text C:\Windows\KMService.exe[2080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001001e01f8 .text C:\Windows\KMService.exe[2080] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001001e03fc .text C:\Windows\KMService.exe[2080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 00000001001e0600 .text C:\Windows\KMService.exe[2080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 00000001001e0804 .text C:\Windows\KMService.exe[2080] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 00000001001e0a08 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 00000001001a075c .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001001a03a4 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 00000001001a0b14 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 00000001001a0ecc .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000001001a163c .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 00000001001a1284 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001001a19f4 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\conhost.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\syswow64\user32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\syswow64\user32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100270600 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\15.3.0\loggingserver.exe[2288] C:\Windows\syswow64\user32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100270a08 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010018075c .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010018163c .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100181284 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001001819f4 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\conhost.exe[2296] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010011075c .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001001103a4 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100110b14 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100110ecc .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010011163c .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100111284 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001001119f4 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\svchost.exe[2616] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010017075c .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001001703a4 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100170b14 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100170ecc .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010017163c .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100171284 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001001719f4 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\SearchIndexer.exe[2532] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 00000001000f075c .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001000f03a4 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 00000001000f0b14 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 00000001000f0ecc .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000001000f163c .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 00000001000f1284 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001000f19f4 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\taskhost.exe[2784] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010028075c .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001002803a4 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100280b14 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100280ecc .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010028163c .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100281284 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001002819f4 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\Dwm.exe[2992] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010017075c .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001001703a4 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100170b14 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100170ecc .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010017163c .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100171284 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001001719f4 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\Explorer.EXE[1908] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\Explorer.EXE[1908] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010011075c .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001001103a4 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100110b14 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100110ecc .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010011163c .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100111284 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001001119f4 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[1528] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010024075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001002403a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100240b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100240ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010024163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100241284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001002419f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3108] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 00000001003c075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001003c03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 0000000100070470 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 0000000100070460 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 00000001003c0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 00000001003c0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 0000000100070370 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 0000000100070480 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000001003c163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 0000000100070320 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000001000703b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 0000000100070390 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000001000702e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 0000000100070440 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000001000702d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 0000000100070310 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000001000703c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 00000001003c1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000001000703f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 0000000100070230 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 0000000100070490 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0xffffffff889e0590} .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000001000703a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000001000702f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 0000000100070350 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 0000000100070290 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000001000702b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000001000703d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 0000000100070330 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 0000000100070410 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 0000000100070240 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000001000701e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 0000000100070250 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000001000704a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000001000704b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 0000000100070300 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 0000000100070360 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000001000702a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000001000702c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 0000000100070380 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 0000000100070340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 0000000100070450 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0xffffffff889dfa90} .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 0000000100070260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 0000000100070270 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001003c19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000001000701f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 0000000100070210 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 0000000100070200 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 0000000100070420 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 0000000100070430 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 0000000100070220 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 0000000100070280 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3156] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3288] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100030600 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100030804 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100030c0c .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100030a08 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100030e10 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 00000001000301f8 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001000303fc .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001001801f8 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001001803fc .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100180600 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100180804 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100180a08 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100191014 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100190804 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100190a08 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100190c0c .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100190e10 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001001901f8 .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001001903fc .text C:\Program Files\Winamp\winampa.exe[3300] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100190600 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100030e10 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001002101f8 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001002103fc .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100210600 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100210804 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100210a08 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100221014 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100220804 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100220a08 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100220c0c .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100220e10 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001002201f8 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001002203fc .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100220600 .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75] .text C:\Program Files (x86)\AVG Secure Search\vprot.exe[3336] C:\Windows\syswow64\Psapi.dll!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75] .text ... * 2 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100030600 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100030804 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100030c0c .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100030a08 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100030e10 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 00000001000301f8 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001000303fc .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 00000001001e1014 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 00000001001e0804 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 00000001001e0a08 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 00000001001e0c0c .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 00000001001e0e10 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001001e01f8 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001001e03fc .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 00000001001e0600 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001001f01f8 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001001f03fc .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 00000001001f0600 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 00000001001f0804 .text C:\Windows\Common Files (x86)\Java\Java Update\jusched.exe[3408] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 00000001001f0a08 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010032075c .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001003203a4 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100320b14 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100320ecc .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010032163c .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100321284 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001003219f4 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\wuauclt.exe[3936] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 00000001002b075c .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001002b03a4 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 00000000777f0470 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 00000000777f0460 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 00000001002b0b14 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 00000001002b0ecc .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 00000000777f0370 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 00000000777f0480 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 00000001002b163c .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 00000000777f0320 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000000777f03b0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 00000000777f0390 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000000777f02e0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 00000000777f0440 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000000777f02d0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 00000000777f0310 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000000777f03c0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 00000001002b1284 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000000777f03f0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 00000000777f0230 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 00000000777f0490 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0x160590} .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000000777f03a0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000000777f02f0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 00000000777f0350 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 00000000777f0290 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000000777f02b0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000000777f03d0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 00000000777f0330 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 00000000777f0410 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 00000000777f0240 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000000777f01e0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 00000000777f0250 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000000777f04a0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000000777f04b0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 00000000777f0300 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 00000000777f0360 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000000777f02a0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000000777f02c0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 00000000777f0380 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 00000000777f0340 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 00000000777f0450 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0x15fa90} .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 00000000777f0260 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 00000000777f0270 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001002b19f4 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000000777f01f0 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 00000000777f0210 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 00000000777f0200 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 00000000777f0420 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 00000000777f0430 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 00000000777f0220 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 00000000777f0280 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\AUDIODG.EXE[3556] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100030600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100030804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100030c0c .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100030a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100030e10 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 00000001000301f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001000303fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001001001f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001001003fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100100600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100100804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100100a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100111014 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100110804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100110a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100110c0c .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100110e10 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001001101f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001001103fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100110600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75] .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[2812] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [2812] entry point in ".rdata" section 00000000721f71e6 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007783f941 7 bytes {MOV EDX, 0xafa628; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100bc0600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100bc0804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007783fb85 7 bytes {MOV EDX, 0xafa668; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007783fbb5 7 bytes {MOV EDX, 0xafa5a8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007783fbcd 7 bytes {MOV EDX, 0xafa528; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007783fbe5 7 bytes {MOV EDX, 0xafa728; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007783fc15 7 bytes {MOV EDX, 0xafa768; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100bc0c0c .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007783fc95 7 bytes {MOV EDX, 0xafa6e8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007783fcad 7 bytes {MOV EDX, 0xafa6a8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007783fcf9 7 bytes {MOV EDX, 0xafa468; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007783fdf1 7 bytes {MOV EDX, 0xafa4a8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100bc0a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077840049 7 bytes {MOV EDX, 0xafa428; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077841055 7 bytes {MOV EDX, 0xafa5e8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000778410cd 7 bytes {MOV EDX, 0xafa568; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000778412d1 7 bytes {MOV EDX, 0xafa4e8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100bc0e10 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 0000000100bc01f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 0000000100bc03fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 0000000100bd01f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 0000000100bd03fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100bd0600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100bd0804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100bd0a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100be1014 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100be0804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100be0a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100be0c0c .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100be0e10 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 0000000100be01f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 0000000100be03fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100be0600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75] .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[3808] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75] .text ... * 2 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007783f941 7 bytes {MOV EDX, 0xd7c628; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100de0600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100de0804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007783fb85 7 bytes {MOV EDX, 0xd7c668; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007783fbb5 7 bytes {MOV EDX, 0xd7c5a8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007783fbcd 7 bytes {MOV EDX, 0xd7c528; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007783fbe5 7 bytes {MOV EDX, 0xd7c728; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007783fc15 7 bytes {MOV EDX, 0xd7c768; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100de0c0c .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007783fc95 7 bytes {MOV EDX, 0xd7c6e8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007783fcad 7 bytes {MOV EDX, 0xd7c6a8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007783fcf9 7 bytes {MOV EDX, 0xd7c468; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007783fdf1 7 bytes {MOV EDX, 0xd7c4a8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100de0a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077840049 7 bytes {MOV EDX, 0xd7c428; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077841055 7 bytes {MOV EDX, 0xd7c5e8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000778410cd 7 bytes {MOV EDX, 0xd7c568; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000778412d1 7 bytes {MOV EDX, 0xd7c4e8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100de0e10 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 0000000100de01f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 0000000100de03fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 0000000100df01f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 0000000100df03fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100df0600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100df0804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100df0a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100e01014 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100e00804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100e00a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100e00c0c .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100e00e10 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 0000000100e001f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 0000000100e003fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100e00600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75] .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75] .text ... * 2 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007783f941 7 bytes {MOV EDX, 0xcf6628; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100d60600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100d60804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007783fb85 7 bytes {MOV EDX, 0xcf6668; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007783fbb5 7 bytes {MOV EDX, 0xcf65a8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007783fbcd 7 bytes {MOV EDX, 0xcf6528; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007783fbe5 7 bytes {MOV EDX, 0xcf6728; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007783fc15 7 bytes {MOV EDX, 0xcf6768; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100d60c0c .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007783fc95 7 bytes {MOV EDX, 0xcf66e8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007783fcad 7 bytes {MOV EDX, 0xcf66a8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007783fcf9 7 bytes {MOV EDX, 0xcf6468; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007783fdf1 7 bytes {MOV EDX, 0xcf64a8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100d60a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077840049 7 bytes {MOV EDX, 0xcf6428; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077841055 7 bytes {MOV EDX, 0xcf65e8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000778410cd 7 bytes {MOV EDX, 0xcf6568; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000778412d1 7 bytes {MOV EDX, 0xcf64e8; JMP RDX} .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100d60e10 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 0000000100d601f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 0000000100d603fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 0000000100d701f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 0000000100d703fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100d70600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100d70804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100d70a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100d81014 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100d80804 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100d80a08 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100d80c0c .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100d80e10 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 0000000100d801f8 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 0000000100d803fc .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100d80600 .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075571465 2 bytes [57, 75] .text C:\Users\MARCIN\AppData\Local\Google\Chrome\Application\chrome.exe[444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000755714bb 2 bytes [57, 75] .text ... * 2 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077662c90 5 bytes JMP 000000010026075c .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077674420 5 bytes JMP 00000001002603a4 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 000000007768f760 5 bytes JMP 0000000100080470 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 000000007768f7b0 5 bytes JMP 0000000100080460 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 000000007768f830 5 bytes JMP 0000000100260b14 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 000000007768f890 5 bytes JMP 0000000100260ecc .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 000000007768f910 5 bytes JMP 0000000100080370 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 000000007768f960 5 bytes JMP 0000000100080480 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 000000007768f970 5 bytes JMP 000000010026163c .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007768fa20 5 bytes JMP 0000000100080320 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 000000007768fa50 5 bytes JMP 00000001000803b0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 000000007768fa70 5 bytes JMP 0000000100080390 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007768fab0 5 bytes JMP 00000001000802e0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 000000007768fb00 5 bytes JMP 0000000100080440 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007768fb30 5 bytes JMP 00000001000802d0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007768fb50 5 bytes JMP 0000000100080310 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007768fb90 5 bytes JMP 00000001000803c0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 000000007768fbb0 5 bytes JMP 0000000100261284 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 000000007768fbe0 5 bytes JMP 00000001000803f0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 000000007768fd40 5 bytes JMP 0000000100080230 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 000000007768ff00 1 byte JMP 0000000100080490 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort + 2 000000007768ff02 3 bytes {JMP 0xffffffff889f0590} .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 000000007768ff30 5 bytes JMP 00000001000803a0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077690010 5 bytes JMP 00000001000802f0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077690020 5 bytes JMP 0000000100080350 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077690080 5 bytes JMP 0000000100080290 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077690110 5 bytes JMP 00000001000802b0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077690130 5 bytes JMP 00000001000803d0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077690140 5 bytes JMP 0000000100080330 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00000000776901b0 5 bytes JMP 0000000100080410 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000776901e0 5 bytes JMP 0000000100080240 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000776904a0 5 bytes JMP 00000001000801e0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077690560 5 bytes JMP 0000000100080250 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077690590 5 bytes JMP 00000001000804a0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000776905a0 5 bytes JMP 00000001000804b0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000776905d0 5 bytes JMP 0000000100080300 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000776905e0 5 bytes JMP 0000000100080360 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077690640 5 bytes JMP 00000001000802a0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077690690 5 bytes JMP 00000001000802c0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000776906c0 5 bytes JMP 0000000100080380 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000776906d0 5 bytes JMP 0000000100080340 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000776909c0 1 byte JMP 0000000100080450 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 2 00000000776909c2 3 bytes {JMP 0xffffffff889efa90} .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077690bc0 5 bytes JMP 0000000100080260 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077690bd0 5 bytes JMP 0000000100080270 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077690be0 5 bytes JMP 00000001002619f4 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077690da0 5 bytes JMP 00000001000801f0 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077690db0 5 bytes JMP 0000000100080210 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077690e20 5 bytes JMP 0000000100080200 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077690e80 5 bytes JMP 0000000100080420 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077690e90 5 bytes JMP 0000000100080430 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077690ea0 5 bytes JMP 0000000100080220 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077690f80 5 bytes JMP 0000000100080280 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007757f1fd 1 byte [62] .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe1c6e00 5 bytes JMP 000007ff7e1e1dac .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe1c6f2c 5 bytes JMP 000007ff7e1e0ecc .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe1c7220 5 bytes JMP 000007ff7e1e1284 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe1c739c 5 bytes JMP 000007ff7e1e163c .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe1c7538 5 bytes JMP 000007ff7e1e19f4 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe1c75e8 5 bytes JMP 000007ff7e1e03a4 .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe1c790c 5 bytes JMP 000007ff7e1e075c .text C:\Windows\system32\sppsvc.exe[3084] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe1c7ab4 5 bytes JMP 000007ff7e1e0b14 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007783fa50 5 bytes JMP 0000000100030600 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007783fae8 5 bytes JMP 0000000100030804 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007783fc40 5 bytes JMP 0000000100030c0c .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 000000007783ffc8 5 bytes JMP 0000000100030a08 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtSetContextThread 00000000778418b0 5 bytes JMP 0000000100030e10 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007785c4aa 5 bytes JMP 00000001000301f8 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077861247 5 bytes JMP 00000001000303fc .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076ccb0c5 1 byte [62] .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076b05181 5 bytes JMP 0000000100241014 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076b05254 5 bytes JMP 0000000100240804 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000076b053d5 5 bytes JMP 0000000100240a08 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000076b054c2 5 bytes JMP 0000000100240c0c .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000076b055e2 5 bytes JMP 0000000100240e10 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000076b0567c 5 bytes JMP 00000001002401f8 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000076b0589f 5 bytes JMP 00000001002403fc .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076b05a22 5 bytes JMP 0000000100240600 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000755cf0e6 5 bytes JMP 00000001002501f8 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000755d3907 5 bytes JMP 00000001002503fc .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000755d8364 5 bytes JMP 0000000100250600 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000755e06b3 5 bytes JMP 0000000100250804 .text C:\Users\MARCIN\AppData\Local\Temp\Temp1_gmer.zip\gmer.exe[4520] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000755f0efc 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2980:852] 000007fefdfd3570 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2980:1992] 000007fefc202a88 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2980:1876] 000007fef5acc0b0 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2980:2488] 000007fefaec5124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswFsBlk Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswMonFlt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\CurrentControlSet\services\aswRdr Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@BootCounter 209 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@TickCounter 2626477 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Type 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSnx Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswSP Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\CurrentControlSet\services\aswTdi Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\services\aswVmm Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@001fcd39c2a4 0x2A 0xFF 0x11 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@001e4cf81d55 0x2D 0xB3 0xE3 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@d4206d58182e 0x7A 0xB5 0x23 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@000202355859 0xEC 0xD5 0x70 0xEE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0015833d0a57@184617b14869 0x5A 0x06 0x2C 0x8A ... Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DisplayName aswFsBlk Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Group FSFilter Activity Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Description avast! mini-filter driver (aswFsBlk) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances@DefaultInstance aswFsBlk Instance Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Altitude 388400 Reg HKLM\SYSTEM\ControlSet002\services\aswFsBlk\Instances\aswFsBlk Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@ImagePath \??\C:\Windows\system32\drivers\aswMonFlt.sys Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DisplayName aswMonFlt Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Group FSFilter Anti-Virus Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt@Description avast! mini-filter driver (aswMonFlt) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances@DefaultInstance aswMonFlt Instance Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Altitude 320700 Reg HKLM\SYSTEM\ControlSet002\services\aswMonFlt\Instances\aswMonFlt Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ImagePath \SystemRoot\System32\Drivers\aswrdr2.sys Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DisplayName aswRdr Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswRdr@Description avast! WFP Redirect driver Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@MSIgnoreLSPDefault Reg HKLM\SYSTEM\ControlSet002\services\aswRdr\Parameters@WSIgnoreLSPDefault nl_lsp.dll,imon.dll,xfire_lsp.dll,mslsp.dll,mssplsp.dll,cwhook.dll,spi.dll,bmnet.dll,winsflt.dll Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Start 0 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@DisplayName aswRvrt Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt@Description avast! Revert Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@BootCounter 209 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@TickCounter 2626477 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@SystemRoot \Device\Harddisk0\Partition2\Windows Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters@ImproperShutdown 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Type 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DisplayName aswSnx Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Group FSFilter Virtualization Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@DependOnService FltMgr? Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Description avast! virtualization driver (aswSnx) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx@Tag 2 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances@DefaultInstance aswSnx Instance Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Altitude 137600 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Instances\aswSnx Instance@Flags 0 Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSnx\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP@DisplayName aswSP Reg HKLM\SYSTEM\ControlSet002\services\aswSP@Description avast! Self Protection Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@BehavShield 1 Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFolder \DosDevices\C:\Program Files\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@DataFolder \DosDevices\C:\ProgramData\AVAST Software\Avast Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@ProgramFilesFolder \DosDevices\C:\Program Files Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@GadgetFolder \DosDevices\C:\Program Files\Windows Sidebar\Shared Gadgets\aswSidebar.gadget Reg HKLM\SYSTEM\ControlSet002\services\aswSP\Parameters@NoWelcomeScreen 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DisplayName avast! Network Shield Support Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Group PNP_TDI Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@DependOnService tcpip? Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Description avast! Network Shield TDI driver Reg HKLM\SYSTEM\ControlSet002\services\aswTdi@Tag 9 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Start 3 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@DisplayName aswVmm Reg HKLM\SYSTEM\ControlSet002\services\aswVmm@Description avast! VM Monitor Reg HKLM\SYSTEM\ControlSet002\services\aswVmm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Type 32 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Start 2 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ImagePath "C:\Program Files\AVAST Software\Avast\AvastSvc.exe" Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DisplayName avast! Antivirus Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Group ShellSvcGroup Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@DependOnService aswMonFlt?RpcSS? Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@WOW64 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@ServiceSidType 1 Reg HKLM\SYSTEM\ControlSet002\services\avast! Antivirus@Description Instaluje i zarz?dza us?ugami antywirusowymi programu avast! na tym komputerze, co obejmuje rezydentny skaner, kwarantann? oraz harmonogram zada?. Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57@001fcd39c2a4 0x2A 0xFF 0x11 0x09 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57@001e4cf81d55 0x2D 0xB3 0xE3 0x31 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57@d4206d58182e 0x7A 0xB5 0x23 0x99 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57@000202355859 0xEC 0xD5 0x70 0xEE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0015833d0a57@184617b14869 0x5A 0x06 0x2C 0x8A ... ---- EOF - GMER 2.1 ----