GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-11 19:01:54 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: k9oi3ivo.exe; Driver: C:\Users\ALEKS\AppData\Local\Temp\kwddakow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\system32\drivers\USBPORT.SYS!DllUnload fffff88003028d8c 12 bytes {MOV RAX, 0xfffffa8004b602a0; JMP RAX} ---- User code sections - GMER 2.1 ---- .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x14e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 4 bytes [48, B8, 00, 0A] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 15] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 15, 00] .text c:\PROGRA~2\AVG\AVG2015\avgrsa.exe[512] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x16e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 17] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 17, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgcsrva.exe[568] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x4e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 4 bytes [48, B8, 10, 57] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 05] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 05, 00] .text C:\windows\system32\csrss.exe[988] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x4e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 4 bytes [48, B8, 10, 57] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 05] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 05, 00] .text C:\windows\system32\wininit.exe[492] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x4e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 4 bytes [48, B8, 10, 57] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 05] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 05, 00] .text C:\windows\system32\csrss.exe[504] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x12e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 13] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 13, 00] .text C:\windows\system32\services.exe[1004] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x4e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 4 bytes [48, B8, 10, 57] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 05] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 05, 00] .text C:\windows\system32\winlogon.exe[1032] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\lsass.exe[1060] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x10e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 11] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 11, 00] .text C:\windows\system32\lsm.exe[1092] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[1180] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0A] .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0A] .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0A] .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0A] .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0A] .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0A] .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0A] .text C:\Program Files (x86)\AVG Web TuneUp\WtuSystemSupport.exe[1240] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x17e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 18] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 18, 00] .text C:\windows\system32\nvvsvc.exe[1272] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 1E] .text C:\Program Files (x86)\Common Files\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe[1296] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0A] .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0A] .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0A] .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0A] .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0A] .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0A] .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0A] .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\syswow64\kernel32.dll!ReadFile 0000000076833e73 7 bytes JMP 0000000101fd22c0 .text C:\Program Files (x86)\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe[1324] C:\windows\syswow64\kernel32.dll!CreateFileW 0000000076833efc 5 bytes JMP 0000000101fd2350 .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[1452] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\System32\svchost.exe[1700] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\System32\svchost.exe[1732] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[1768] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[1804] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 1A] .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe[484] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1756] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x16e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 17] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 17, 00] .text C:\windows\system32\nvvsvc.exe[1760] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[2160] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\System32\spoolsv.exe[2508] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[2720] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHWatchdog.exe[2972] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0F] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0F] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0F] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0F] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0F] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0F] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0F] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2492] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgidsagent.exe[2080] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgwdsvc.exe[2560] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x17e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 18] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 18, 00] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2616] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\System32\svchost.exe[2564] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[2892] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1E] .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1E] .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1E] .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1E] .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1E] .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1E] .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1E] .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe[2068] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1E] .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1E] .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1E] .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1E] .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1E] .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1E] .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1E] .text C:\Program Files (x86)\Common Files\NMSAccessU.exe[3176] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 09] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 09] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 09] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 09] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 09] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 09] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 09] .text C:\Program Files (x86)\HTC\Internet Pass-Through\PassThruSvr.exe[3196] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0B] .text C:\windows\SysWOW64\rundll32.exe[3248] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x6e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 07] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 07, 00] .text C:\windows\system32\taskhost.exe[3548] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\taskeng.exe[3560] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0xfe8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 10] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 10, 00] .text C:\windows\system32\Dwm.exe[3672] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes [48, B8, 80, 17, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes [48, B8, B0, 0C, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\Explorer.EXE[3696] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x17e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 0000000077b90128 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 0000000077b90018 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 18] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 18, 00] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 0000000077b900a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x3b2590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3912] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 0000000077b90128 .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 0000000077b90018 .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 0000000077b900a0 .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x3b2590} .text C:\Windows\WindowsMobile\wmdc.exe[3920] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0A] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe[3964] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x17e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 0000000077b90128 .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 0000000077b90018 .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 18] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 18, 00] .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 0000000077b900a0 .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x3b2590} .text C:\Program Files\CCleaner\CCleaner64.exe[3772] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 1E] .text C:\Users\ALEKS\AppData\Local\FluxSoftware\Flux\flux.exe[1684] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 0000000077b90128 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 0000000077b90018 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 0000000077b900a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x3b2590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2124] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0D] .text C:\Program Files (x86)\Netia\Mobilny Internet\UIExec.exe[3496] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x17e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 0000000077b90128 .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 0000000077b90018 .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 18] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 18, 00] .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 0000000077b900a0 .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x3b2590} .text C:\Program Files (x86)\baidu\BaiduSd\3.0.0.4605\BaiduSdUProxy64.exe[4032] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0A] .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG\AVG2015\avgui.exe[4076] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0A] .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe[3668] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4112] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0A] .text C:\windows\SysWOW64\ctfmon.exe[4564] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 00000001779d0128 .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 00000001779d0018 .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\System32\svchost.exe[4328] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\System32\svchost.exe[4328] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 00000000779d00a0 .text C:\windows\System32\svchost.exe[4328] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x1f2590} .text C:\windows\System32\svchost.exe[4328] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1D] .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1D] .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1D] .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1D] .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1D] .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1D] .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1D] .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\windows\SysWOW64\Rezip.exe[4460] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 1D] .text C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe[4752] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 00000001779d0128 .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 00000001779d0018 .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[4124] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[4124] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 00000000779d00a0 .text C:\windows\system32\svchost.exe[4124] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x1f2590} .text C:\windows\system32\svchost.exe[4124] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1E] .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1E] .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1E] .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1E] .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1E] .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1E] .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1E] .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Program Files (x86)\Netia\Mobilny Internet\AssistantServices.exe[4944] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 0000000077b90128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 0000000077b90018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 0000000077b900a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x3b2590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[4236] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 00000001779d0128 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 00000001779d0018 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 00000000779d00a0 .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x1f2590} .text C:\Program Files (x86)\AVG\AVG2015\avgnsa.exe[1972] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 00000001779d0128 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 00000001779d0018 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 00000000779d00a0 .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x1f2590} .text C:\Program Files (x86)\AVG\AVG2015\avgemca.exe[2908] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 0000000077b90128 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 0000000077b90018 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 0000000077b900a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x3b2590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[5124] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0xfe8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 0000000077b90128 .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 0000000077b90018 .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 10] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 10, 00] .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\SearchIndexer.exe[5388] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 00000001779d0128 .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 00000001779d0018 .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[5760] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5760] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 00000000779d00a0 .text C:\windows\system32\svchost.exe[5760] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x1f2590} .text C:\windows\system32\svchost.exe[5760] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x6e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 0000000077b90128 .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 0000000077b90018 .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 07] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 07, 00] .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 0000000077b900a0 .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x3b2590} .text C:\windows\servicing\TrustedInstaller.exe[6056] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 00000001779d0128 .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 00000001779d0018 .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[6096] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[6096] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 00000000779d00a0 .text C:\windows\system32\svchost.exe[6096] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x1f2590} .text C:\windows\system32\svchost.exe[6096] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 00000001779d0128 .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 00000001779d0018 .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[5140] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5140] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 00000000779d00a0 .text C:\windows\system32\svchost.exe[5140] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x1f2590} .text C:\windows\system32\svchost.exe[5140] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!KiUserCallbackDispatcher + 1 0000000077a2d8d7 11 bytes {MOV EAX, 0x7e8d0; ADD [RAX], AL; ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile 0000000077a2da20 5 bytes [48, B8, 70, 27, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtDeviceIoControlFile + 8 0000000077a2da28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile 0000000077a2da30 5 bytes [48, B8, 10, 57, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtWriteFile + 8 0000000077a2da38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread 0000000077a2da80 5 bytes [48, B8, C0, 2B, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 0000000077a2da88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077a2db30 5 bytes [48, B8, 00, 0A, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory + 8 0000000077a2db38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a2db40 5 bytes [48, B8, 70, 59, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess + 8 0000000077a2db48 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess 0000000077a2db70 5 bytes [48, B8, C0, 2C, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationProcess + 8 0000000077a2db78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort 0000000077a2dbd0 5 bytes [48, B8, 50, 3F, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtRequestWaitReplyPort + 8 0000000077a2dbd8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 0000000077a2dc00 5 bytes [48, B8, 80, 5A, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueryInformationThread + 8 0000000077a2dc08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess 0000000077a2dc10 5 bytes [48, B8, 50, 06, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 0000000077a2dc18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile 0000000077a2dc20 5 bytes [48, B8, C0, 25, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 0000000077a2dc28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a2dc30 5 bytes JMP 00000001779d0128 .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 0000000077a2dc38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 0000000077a2dc50 5 bytes [48, B8, 10, 19, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 0000000077a2dc58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077a2dc70 5 bytes [48, B8, 40, 08, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 8 0000000077a2dc78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile 0000000077a2dce0 5 bytes [48, B8, 90, 24, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 0000000077a2dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation 0000000077a2dd10 5 bytes [48, B8, 90, 5B, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQuerySystemInformation + 8 0000000077a2dd18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077a2dd20 5 bytes [48, B8, B0, 16, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 0000000077a2dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a2dd50 5 bytes JMP 00000001779d0018 .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory + 8 0000000077a2dd58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject 0000000077a2dd70 5 bytes [48, B8, C0, 2D, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtDuplicateObject + 8 0000000077a2dd78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory 0000000077a2dda0 5 bytes [48, B8, 70, 0B, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtReadVirtualMemory + 8 0000000077a2dda8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a2ddb0 5 bytes [48, B8, A0, 4F, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 0000000077a2ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtContinue 0000000077a2dde0 5 bytes [48, B8, B0, 58, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtContinue + 8 0000000077a2dde8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077a2de00 5 bytes [48, B8, 00, 20, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThread + 8 0000000077a2de08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a2de30 5 bytes [48, B8, 90, 4E, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 0000000077a2de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077a2de50 5 bytes [48, B8, 50, 15, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 0000000077a2de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx 0000000077a2de80 5 bytes [48, B8, 30, 48, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcessEx + 8 0000000077a2de88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077a2de90 5 bytes [48, B8, A0, 1C, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 0000000077a2de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077a2deb0 5 bytes [48, B8, 80, 0F, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory + 8 0000000077a2deb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077a2dee0 5 bytes [48, B8, 20, 09, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtTerminateThread + 8 0000000077a2dee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile 0000000077a2df00 5 bytes [48, B8, C0, 22, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 0000000077a2df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject 0000000077a2df70 5 bytes [48, B8, D0, 4C, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetInformationObject + 8 0000000077a2df78 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a2e380 5 bytes [48, B8, 70, 50, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 0000000077a2e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 0000000077a2e390 5 bytes [48, B8, 00, 54, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 0000000077a2e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile 0000000077a2e3a0 5 bytes [48, B8, B0, 4D, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreatePagingFile + 8 0000000077a2e3a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess 0000000077a2e3d0 5 bytes [48, B8, C0, 46, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProcess + 8 0000000077a2e3d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile 0000000077a2e3e0 5 bytes [48, B8, 80, 5C, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfile + 8 0000000077a2e3e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx 0000000077a2e3f0 5 bytes [48, B8, 20, 5E, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateProfileEx + 8 0000000077a2e3f8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a2e410 5 bytes [48, B8, 20, 52, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 0000000077a2e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a2e420 5 bytes [48, B8, 30, 56, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject + 8 0000000077a2e428 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077a2e430 5 bytes [48, B8, 20, 1E, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateThreadEx + 8 0000000077a2e438 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a2e480 5 bytes [48, B8, C0, 49, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtCreateUserProcess + 8 0000000077a2e488 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077a2e4b0 5 bytes [48, B8, D0, 2A, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess + 8 0000000077a2e4b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile 0000000077a2e500 5 bytes [48, B8, D0, 26, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 0000000077a2e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess 0000000077a2e6c0 5 bytes [48, B8, C0, 30, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtGetNextProcess + 8 0000000077a2e6c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread 0000000077a2e6d0 5 bytes [48, B8, D0, 31, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtGetNextThread + 8 0000000077a2e6d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077a2e7a0 5 bytes [48, B8, 10, 3E, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtLoadDriver + 8 0000000077a2e7a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a2e940 5 bytes [48, B8, 50, 51, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 0000000077a2e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a2e990 5 bytes [48, B8, 30, 53, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 0000000077a2e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread 0000000077a2e9c0 5 bytes [48, B8, 40, 07, 08] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 0000000077a2e9c8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile 0000000077a2ebb0 6 bytes [48, B8, D0, 5F, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueryIntervalProfile + 8 0000000077a2ebb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077a2ecc0 6 bytes [48, B8, 40, 21, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx + 8 0000000077a2ecc8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError 0000000077a2ece0 6 bytes [48, B8, A0, 4B, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtRaiseHardError + 8 0000000077a2ece8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077a2eee0 6 bytes [48, B8, B0, 1B, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetContextThread + 8 0000000077a2eee8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile 0000000077a2f000 6 bytes [48, B8, 90, 60, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetIntervalProfile + 8 0000000077a2f008 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077a2f0a0 6 bytes [48, B8, 40, 3D, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSetSystemInformation + 8 0000000077a2f0a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077a2f180 6 bytes [48, B8, F0, 1A, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSuspendProcess + 8 0000000077a2f188 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077a2f190 6 bytes [48, B8, 00, 1A, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSuspendThread + 8 0000000077a2f198 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077a2f1a0 6 bytes [48, B8, 10, 3C, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtSystemDebugControl + 8 0000000077a2f1a8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver 0000000077a2f220 6 bytes [48, B8, B0, 3E, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtUnloadDriver + 8 0000000077a2f228 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077a2f280 6 bytes [48, B8, 40, 61, 08, 00] .text C:\windows\system32\svchost.exe[5856] C:\windows\SYSTEM32\ntdll.dll!NtVdmControl + 8 0000000077a2f288 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\kernel32.dll!CreateProcessInternalW 00000000777ddb10 1 byte JMP 00000000779d00a0 .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\kernel32.dll!CreateProcessInternalW + 2 00000000777ddb12 3 bytes {JMP 0x1f2590} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!RegisterUserApiHook + 192 0000000000a91df0 6 bytes JMP 89416024 .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!SetWindowPlacement 0000000000a98150 6 bytes {JMP QWORD [RIP+0x793a2]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!SetParent 0000000000a98530 6 bytes {JMP QWORD [RIP+0x78fa2]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!DestroyWindow 0000000000a9cbf0 6 bytes {JMP QWORD [RIP+0x748aa]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!DestroyWindow + 64 0000000000a9cc30 6 bytes {JMP QWORD [RIP+0x74882]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!LookupIconIdFromDirectoryEx + 292 0000000000a9f860 6 bytes {JMP QWORD [RIP+0x71c9a]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!GetWindowThreadProcessId + 208 0000000000aa0b60 6 bytes {JMP QWORD [RIP+0x7096a]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!ShowWindow 0000000000aa1930 6 bytes {JMP QWORD [RIP+0x6fb72]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!ClientToScreen + 104 0000000000aa3320 6 bytes {JMP QWORD [RIP+0x6e1ba]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!SetWinEventHook + 212 0000000000aa4e20 6 bytes {JMP QWORD [RIP+0x6c6ea]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!IsDialogMessageW + 400 0000000000aa6850 6 bytes {JMP QWORD [RIP+0x6ac6a]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!SetWindowLongPtrW + 16 0000000000aa76d0 6 bytes {JMP QWORD [RIP+0x69df2]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!SendInput 0000000000ab8cd0 6 bytes {JMP QWORD [RIP+0x5881a]} .text C:\windows\system32\svchost.exe[5856] C:\windows\system32\USER32.dll!ShowWindowAsync 0000000000ab96f0 6 bytes {JMP QWORD [RIP+0x57dba]} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 1B] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[6248] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll .text C:\Program Files\Windows Media Player\wmpnetwk.exe[6800] C:\windows\system32\KERNELBASE.dll!ResumeThread 000007fefc576590 5 bytes JMP 000007fff5b81cc0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077bdfc90 5 bytes JMP 000000016fac19d0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077bdfe54 5 bytes JMP 000000016fac15f0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\kernel32.dll!CreateProcessInternalW 0000000076843b93 5 bytes JMP 000000016fac1760 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\KERNELBASE.dll!ResumeThread 0000000076c33b49 5 bytes JMP 000000016fac1bb0 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 0B] .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe[4128] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 1 0000000077bdf94d 3 bytes [D1, BF, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtDeviceIoControlFile + 5 0000000077bdf951 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 1 0000000077bdf969 3 bytes [F9, DB, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtWriteFile + 5 0000000077bdf96d 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 1 0000000077be09a5 3 bytes [A1, C1, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtDebugActiveProcess + 5 0000000077be09a9 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 1 0000000077be1471 3 bytes [C4, E0, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtQueryIntervalProfile + 5 0000000077be1475 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 1 0000000077be1b29 3 bytes [4C, E1, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSetIntervalProfile + 5 0000000077be1b2d 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 1 0000000077be1d95 3 bytes [F2, B8, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSuspendProcess + 5 0000000077be1d99 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 1 0000000077be1db1 3 bytes [53, B8, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\SysWOW64\ntdll.dll!NtSuspendThread + 5 0000000077be1db5 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!DestroyWindow + 1 0000000076949a56 3 bytes [54, E2, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!DestroyWindow + 5 0000000076949a5a 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!ShowWindow + 1 0000000076950dfc 3 bytes [95, E2, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!ShowWindow + 5 0000000076950e00 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!SetParent + 1 0000000076952d65 3 bytes [D5, E4, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!SetParent + 5 0000000076952d69 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 1 0000000076954ab7 3 bytes [4C, E6, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!SetWindowPlacement + 5 0000000076954abb 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 1 00000000769a7d98 3 bytes [E7, E2, 1E] .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\USER32.dll!ShowWindowAsync + 5 00000000769a7d9c 2 bytes {JMP RAX} .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076c01401 2 bytes JMP 7685b20b C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076c01419 2 bytes JMP 7685b336 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076c01431 2 bytes JMP 768d8f39 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076c0144a 2 bytes CALL 76834885 C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076c014dd 2 bytes JMP 768d8832 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076c014f5 2 bytes JMP 768d8a08 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076c0150d 2 bytes JMP 768d8728 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076c01525 2 bytes JMP 768d8af2 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076c0153d 2 bytes JMP 7684fc98 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076c01555 2 bytes JMP 768568df C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076c0156d 2 bytes JMP 768d8ff1 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076c01585 2 bytes JMP 768d8b52 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076c0159d 2 bytes JMP 768d86ec C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076c015b5 2 bytes JMP 7684fd31 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076c015cd 2 bytes JMP 7685b2cc C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076c016b2 2 bytes JMP 768d8eb4 C:\windows\syswow64\kernel32.dll .text C:\Users\ALEKS\Downloads\k9oi3ivo.exe[3844] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076c016bd 2 bytes JMP 768d8681 C:\windows\syswow64\kernel32.dll ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [fffff88001128650] \SystemRoot\System32\Drivers\spyx.sys [unknown section] IAT C:\windows\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [fffff880011285dc] \SystemRoot\System32\Drivers\spyx.sys [unknown section] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff880010f335c] \SystemRoot\System32\Drivers\spyx.sys [unknown section] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff880010f3224] \SystemRoot\System32\Drivers\spyx.sys [unknown section] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff880010f3a24] \SystemRoot\System32\Drivers\spyx.sys [unknown section] IAT C:\windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff880010f3ba0] \SystemRoot\System32\Drivers\spyx.sys [unknown section] IAT C:\windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88004225824] \SystemRoot\system32\DRIVERS\360Box64.sys [.text] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs fffffa80043032c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa8004b512c0 Device \Driver\cdrom \Device\CdRom0 fffffa80047672c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa8004b512c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa8004b512c0 Device \Driver\volmgr \Device\HarddiskVolume1 fffffa80042f72c0 Device \Driver\volmgr \Device\FtControl fffffa80042f72c0 Device \Driver\volmgr \Device\VolMgrControl fffffa80042f72c0 Device \Driver\volmgr \Device\HarddiskVolume2 fffffa80042f72c0 Device \Driver\volmgr \Device\HarddiskVolume3 fffffa80042f72c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1215CEA4-945F-4507-827A-1F9497A627B5} fffffa8004a332c0 Device \Driver\volmgr \Device\HarddiskVolume4 fffffa80042f72c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1BCD3C09-0938-4530-BA25-BDC7964F2A54} fffffa8004a332c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B6AC41CC-732B-4B03-897C-92612C138041} fffffa8004a332c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{0F37DE00-15AC-4978-AA48-38417FFC1580} fffffa8004a332c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa8004a332c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa8004b512c0 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6800:7028] 000007fefacf2ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6800:1432] 000007feeeb05648 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6800:4592] 000007fef7475124 ---- Processes - GMER 2.1 ---- Library C:\??\C:\Program Files (x86)\360\Total Security\safemon\SafeWrapper.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [3696] 0000000073c00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654edff Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f652 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6864 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b66b6982 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fe516781 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fe516781@0015b7303dc0 0x1F 0xE5 0x18 0xFC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fe516781@30385547f478 0x59 0x0B 0x13 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\b482fe516781@1886ac0a742c 0xB7 0xD5 0xF4 0xC9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Deamon Tools\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0xCC 0x25 0x4C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4F 0x64 0x35 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD8 0xA6 0xDB 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA8 0xB8 0x69 0x44 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD1 0x93 0x74 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x59 0x0F 0xD3 0x76 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654edff (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f652 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6864 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b66b6982 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fe516781 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fe516781@0015b7303dc0 0x1F 0xE5 0x18 0xFC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fe516781@30385547f478 0x59 0x0B 0x13 0x8F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\b482fe516781@1886ac0a742c 0xB7 0xD5 0xF4 0xC9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Deamon Tools\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0xCC 0x25 0x4C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4F 0x64 0x35 0x55 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD8 0xA6 0xDB 0x03 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files (x86)\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA8 0xB8 0x69 0x44 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD1 0x93 0x74 0x1C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x59 0x0F 0xD3 0x76 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----