GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-19 17:29:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: jb2g1ck1.exe; Driver: C:\Users\Adrian\AppData\Local\Temp\ugtdrpob.sys ---- Kernel code sections - GMER 2.0 ---- .text C:\Windows\system32\drivers\USBPORT.SYS!DllUnload fffff88004059d64 12 bytes {MOV RAX, 0xfffffa800593a2a0; JMP RAX} ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000149b30440 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000149b30430 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000149b30450 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0xffffffffd2b7ee90} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 0000000149b303b0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000149b30320 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000149b30380 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 0000000149b302e0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000149b30410 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 0000000149b302d0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000149b30310 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000149b30390 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 0000000149b303c0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000149b30230 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0xffffffffd2b7e890} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000149b30460 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000149b30370 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 0000000149b302f0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000149b30350 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000149b30290 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 0000000149b302b0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 0000000149b303a0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000149b30330 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0xffffffffd2b7e590} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 0000000149b303e0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000149b30240 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 0000000149b301e0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000149b30250 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0xffffffffd2b7e090} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000149b30470 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000149b30480 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000149b30300 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000149b30360 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 0000000149b302a0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 0000000149b302c0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000149b30340 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000149b30420 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000149b30260 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000149b30270 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 0000000149b303d0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0xffffffffd2b7db90} .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 0000000149b301f0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000149b30210 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000149b30200 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 0000000149b303f0 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000149b30400 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000149b30220 .text C:\Windows\system32\csrss.exe[420] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000149b30280 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0xffffffff8916ee90} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0xffffffff8916e890} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0xffffffff8916e590} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0xffffffff8916e090} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0xffffffff8916db90} .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\wininit.exe[488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\wininit.exe[488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0xffffffff890bee90} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0xffffffff890be890} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0xffffffff890be590} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0xffffffff890be090} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0xffffffff890bdb90} .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\services.exe[540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\services.exe[540] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\winlogon.exe[564] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0xffffffff890bee90} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0xffffffff890be890} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0xffffffff890be590} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0xffffffff890be090} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0xffffffff890bdb90} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\svchost.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\svchost.exe[816] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\System32\svchost.exe[904] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\System32\svchost.exe[904] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0xffffffff890bee90} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0xffffffff890be890} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0xffffffff890be590} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0xffffffff890be090} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0xffffffff890bdb90} .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\svchost.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\svchost.exe[964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\svchost.exe[888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\svchost.exe[888] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Program Files (x86)\Acer Bio Protection\CompPtcVUI.exe[1152] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text D:\xampp\apache\bin\httpd.exe[1312] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\taskhost.exe[1392] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\Explorer.EXE[1452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\Explorer.EXE[1452] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\taskeng.exe[1620] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text D:\Advanced SystemCare 6\Monitor.exe[1724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000742917fa 2 bytes [29, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000074291860 2 bytes [29, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000074291942 2 bytes [29, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007429194d 2 bytes [29, 74] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000021401 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000021419 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000021431 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000002144a 2 bytes [02, 00] .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000000214dd 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000000214f5 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000002150d 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000021525 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000002153d 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000021555 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000002156d 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000021585 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000002159d 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000000215b5 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000000215cd 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000000216b2 2 bytes [02, 00] .text C:\Windows\SysWOW64\PnkBstrA.exe[1804] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000000216bd 2 bytes [02, 00] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text D:\DAEMON Tools Pro\DTShellHlp.exe[1852] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100080600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100080804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100080c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100080e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100080a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001000801f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001000803fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001000901f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001000903fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100090804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100090600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100090a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 00000001000b1014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 00000001000b0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 00000001000b0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 00000001000b0c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 00000001000b0e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001000b01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001000b03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 00000001000b0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077111401 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077111419 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077111431 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007711144a 2 bytes [11, 77] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771114dd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771114f5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007711150d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077111525 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007711153d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077111555 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007711156d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077111585 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007711159d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771115b5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771115cd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771116b2 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2252] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771116bd 2 bytes [11, 77] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2372] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0xa35228; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100a50600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100a50804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0xa35268; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0xa351a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0xa35128; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0xa35328; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0xa35368; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100a50c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0xa352e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0xa352a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0xa35068; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0xa350a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100a50e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100a50a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0xa35028; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0xa351e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0xa35168; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0xa350e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 0000000100a501f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 0000000100a503fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 0000000100b101f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 0000000100b103fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100b10804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100b10600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100b10a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000100b21014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000100b20804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000100b20a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000100b20c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000100b20e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 0000000100b201f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 0000000100b203fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000100b20600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000b61401 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000b61419 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000b61431 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000000b6144a 2 bytes [B6, 00] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000000b614dd 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000000b614f5 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000000b6150d 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000b61525 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000000b6153d 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000b61555 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000000b6156d 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000b61585 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000000b6159d 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000000b615b5 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000000b615cd 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000000b616b2 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2568] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000000b616bd 2 bytes [B6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0x1027628; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000101040600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000101040804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0x1027668; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0x10275a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0x1027528; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0x1027728; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0x1027768; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000101040c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0x10276e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0x10276a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0x1027468; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0x10274a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000101040e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000101040a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0x1027428; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0x10275e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0x1027568; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0x10274e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001010401f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001010403fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001011101f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001011103fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000101110804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000101110600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000101110a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000101121014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000101120804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000101120a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000101120c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000101120e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001011201f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001011203fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000101120600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000012a1401 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000012a1419 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000012a1431 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000012a144a 2 bytes [2A, 01] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000012a14dd 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000012a14f5 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000012a150d 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000012a1525 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000012a153d 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000012a1555 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000012a156d 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000012a1585 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000012a159d 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000012a15b5 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000012a15cd 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000012a16b2 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000012a16bd 2 bytes [2A, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0x9ff628; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100a00600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100a00804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0x9ff668; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0x9ff5a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0x9ff528; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0x9ff728; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0x9ff768; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100a00c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0x9ff6e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0x9ff6a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0x9ff468; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0x9ff4a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100a00e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100a00a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0x9ff428; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0x9ff5e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0x9ff568; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0x9ff4e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 0000000100a001f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 0000000100a003fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 0000000100a501f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 0000000100a503fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100a50804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100a50600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100a50a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000100b11014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000100b10804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000100b10a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000100b10c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000100b10e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 0000000100b101f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 0000000100b103fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000100b10600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000ce1401 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000ce1419 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000ce1431 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000000ce144a 2 bytes [CE, 00] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000000ce14dd 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000000ce14f5 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000000ce150d 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000ce1525 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000000ce153d 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000ce1555 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000000ce156d 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000ce1585 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000000ce159d 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000000ce15b5 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000000ce15cd 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000000ce16b2 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[2732] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000000ce16bd 2 bytes [CE, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100080600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100080804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100080c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100080e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100080a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001000801f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001000803fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001000901f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001000903fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100090804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100090600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100090a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 00000001000b1014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 00000001000b0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 00000001000b0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 00000001000b0c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 00000001000b0e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001000b01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001000b03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 00000001000b0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077111401 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077111419 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077111431 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007711144a 2 bytes [11, 77] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771114dd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771114f5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007711150d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077111525 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007711153d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077111555 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007711156d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077111585 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007711159d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771115b5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771115cd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771116b2 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3012] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771116bd 2 bytes [11, 77] .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 00000001000c0600 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 00000001000c0804 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 00000001000c0c0c .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 00000001000c0e10 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 00000001000c0a08 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001000c01f8 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001000c03fc .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000100351014 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000100350804 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000100350a08 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000100350c0c .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000100350e10 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001003501f8 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001003503fc .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000100350600 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\syswow64\user32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001003601f8 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\syswow64\user32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001003603fc .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\syswow64\user32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100360804 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\syswow64\user32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100360600 .text D:\xampp\apache\bin\httpd.exe[2212] C:\Windows\syswow64\user32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100360a08 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076f83ae0 5 bytes JMP 00000001002c075c .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076f87a90 5 bytes JMP 00000001002c03a4 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076fb1490 5 bytes JMP 00000001002c0b14 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076fb14f0 5 bytes JMP 00000001002c0ecc .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000001002c163c .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 00000001002c19f4 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076fb1810 5 bytes JMP 00000001002c1284 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff1b6e00 5 bytes JMP 000007ff7f1d1dac .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff1b6f2c 5 bytes JMP 000007ff7f1d0ecc .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff1b7220 5 bytes JMP 000007ff7f1d1284 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff1b739c 5 bytes JMP 000007ff7f1d163c .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff1b7538 5 bytes JMP 000007ff7f1d19f4 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff1b75e8 5 bytes JMP 000007ff7f1d03a4 .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff1b790c 5 bytes JMP 000007ff7f1d075c .text C:\Windows\System32\svchost.exe[3480] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff1b7ab4 5 bytes JMP 000007ff7f1d0b14 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0xe95228; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100eb0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100eb0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0xe95268; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0xe951a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0xe95128; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0xe95328; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0xe95368; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100eb0c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0xe952e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0xe952a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0xe95068; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0xe950a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100eb0e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100eb0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0xe95028; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0xe951e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0xe95168; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0xe950e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 0000000100eb01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 0000000100eb03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 0000000100f801f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 0000000100f803fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100f80804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100f80600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100f80a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000100f91014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000100f90804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000100f90a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000100f90c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000100f90e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 0000000100f901f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 0000000100f903fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000100f90600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000010d1401 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000010d1419 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000010d1431 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000010d144a 2 bytes [0D, 01] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000010d14dd 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000010d14f5 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000010d150d 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000010d1525 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000010d153d 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000010d1555 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000010d156d 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000010d1585 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000010d159d 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000010d15b5 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000010d15cd 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000010d16b2 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000010d16bd 2 bytes [0D, 01] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0x677628; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100690600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100690804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0x677668; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0x6775a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0x677528; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0x677728; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0x677768; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100690c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0x6776e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0x6776a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0x677468; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0x6774a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100690e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100690a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0x677428; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0x6775e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0x677568; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0x6774e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001006901f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001006903fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001007601f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001007603fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100760804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100760600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100760a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000100771014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000100770804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000100770a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000100770c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000100770e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001007701f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001007703fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000100770600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000008b1401 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000008b1419 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000008b1431 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000008b144a 2 bytes [8B, 00] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000008b14dd 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000008b14f5 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000008b150d 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000008b1525 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000008b153d 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000008b1555 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000008b156d 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000008b1585 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000008b159d 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000008b15b5 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000008b15cd 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000008b16b2 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3888] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000008b16bd 2 bytes [8B, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0x404a28; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100410600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100410804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0x404a68; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0x4049a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0x404928; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0x404b28; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0x404b68; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100410c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0x404ae8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0x404aa8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0x404868; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0x4048a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100410e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100410a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0x404828; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0x4049e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0x404968; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0x4048e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001004101f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001004103fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001004701f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001004703fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100470804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100470600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100470a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000100481014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000100480804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000100480a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000100480c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000100480e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001004801f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001004803fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000100480600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077111401 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077111419 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077111431 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007711144a 2 bytes [11, 77] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771114dd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771114f5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007711150d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077111525 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007711153d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077111555 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007711156d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077111585 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007711159d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771115b5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771115cd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771116b2 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4088] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771116bd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0x4b6628; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 00000001004d0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 00000001004d0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0x4b6668; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0x4b65a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0x4b6528; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0x4b6728; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0x4b6768; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 00000001004d0c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0x4b66e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0x4b66a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0x4b6468; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0x4b64a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 00000001004d0e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 00000001004d0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0x4b6428; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0x4b65e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0x4b6568; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0x4b64e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001004d01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001004d03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001006a01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001006a03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 00000001006a0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 00000001006a0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 00000001006a0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 00000001006b1014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 00000001006b0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 00000001006b0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 00000001006b0c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 00000001006b0e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001006b01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001006b03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 00000001006b0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077111401 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077111419 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077111431 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007711144a 2 bytes [11, 77] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771114dd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771114f5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007711150d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077111525 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007711153d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077111555 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007711156d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077111585 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007711159d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771115b5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771115cd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771116b2 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3372] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771116bd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0xd7c228; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100d90600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100d90804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0xd7c268; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0xd7c1a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0xd7c128; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0xd7c328; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0xd7c368; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100d90c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0xd7c2e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0xd7c2a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0xd7c068; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0xd7c0a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100d90e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100d90a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0xd7c028; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0xd7c1e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0xd7c168; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0xd7c0e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 0000000100d901f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 0000000100d903fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 0000000100e901f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 0000000100e903fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100e90804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100e90600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100e90a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000100ea1014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000100ea0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000100ea0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000100ea0c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000100ea0e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 0000000100ea01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 0000000100ea03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000100ea0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000f61401 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000f61419 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000f61431 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000000f6144a 2 bytes [F6, 00] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000000f614dd 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000000f614f5 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000000f6150d 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000f61525 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000000f6153d 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000f61555 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000000f6156d 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000f61585 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000000f6159d 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000000f615b5 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000000f615cd 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000000f616b2 2 bytes [F6, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[1652] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000000f616bd 2 bytes [F6, 00] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 00000001001c0600 .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 00000001001c0804 .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 00000001001c0c0c .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 00000001001c0e10 .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 00000001001c0a08 .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001001c01f8 .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001001c03fc .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000003581401 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000003581419 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000003581431 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000000358144a 2 bytes [58, 03] .text ... * 9 .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000035814dd 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000035814f5 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000000358150d 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000003581525 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000000358153d 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000003581555 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000000358156d 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000003581585 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000000358159d 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000035815b5 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000035815cd 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000035816b2 2 bytes [58, 03] .text C:\Users\Adrian\Downloads\OTL.exe[3864] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000035816bd 2 bytes [58, 03] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0x23a228; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100250600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100250804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0x23a268; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0x23a1a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0x23a128; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0x23a328; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0x23a368; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100250c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0x23a2e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0x23a2a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0x23a068; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0x23a0a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100250e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100250a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0x23a028; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0x23a1e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0x23a168; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0x23a0e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001002501f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001002503fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001004201f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001004203fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100420804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100420600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100420a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000100431014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000100430804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000100430a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000100430c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000100430e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001004301f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001004303fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000100430600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077111401 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077111419 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077111431 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007711144a 2 bytes [11, 77] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771114dd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771114f5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007711150d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077111525 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007711153d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077111555 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007711156d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077111585 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007711159d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771115b5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771115cd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771116b2 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3240] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771116bd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0x236a28; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 0000000100250600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 0000000100250804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0x236a68; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0x2369a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0x236928; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0x236b28; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0x236b68; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 0000000100250c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0x236ae8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0x236aa8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0x236868; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0x2368a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 0000000100250e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 0000000100250a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0x236828; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0x2369e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0x236968; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0x2368e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001002501f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001002503fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001004201f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001004203fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100420804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100420600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100420a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 0000000100431014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 0000000100430804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 0000000100430a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 0000000100430c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 0000000100430e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001004301f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001004303fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 0000000100430600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077111401 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077111419 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077111431 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007711144a 2 bytes [11, 77] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771114dd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771114f5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007711150d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077111525 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007711153d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077111555 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007711156d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077111585 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007711159d 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771115b5 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771115cd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771116b2 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[3724] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771116bd 2 bytes [11, 77] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007715f991 7 bytes {MOV EDX, 0x8c5a28; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 00000001008e0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 00000001008e0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007715fbd5 7 bytes {MOV EDX, 0x8c5a68; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007715fc05 7 bytes {MOV EDX, 0x8c59a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007715fc1d 7 bytes {MOV EDX, 0x8c5928; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007715fc35 7 bytes {MOV EDX, 0x8c5b28; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007715fc65 7 bytes {MOV EDX, 0x8c5b68; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 00000001008e0c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007715fce5 7 bytes {MOV EDX, 0x8c5ae8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007715fcfd 7 bytes {MOV EDX, 0x8c5aa8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007715fd49 7 bytes {MOV EDX, 0x8c5868; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007715fe41 7 bytes {MOV EDX, 0x8c58a8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 00000001008e0e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 00000001008e0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077160099 7 bytes {MOV EDX, 0x8c5828; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000771610a5 7 bytes {MOV EDX, 0x8c59e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007716111d 7 bytes {MOV EDX, 0x8c5968; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077161321 7 bytes {MOV EDX, 0x8c58e8; JMP RDX} .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001008e01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001008e03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001009a01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001009a03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 00000001009a0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 00000001009a0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 00000001009a0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000767d5181 5 bytes JMP 00000001009b1014 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000767d5254 5 bytes JMP 00000001009b0804 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767d53d5 5 bytes JMP 00000001009b0a08 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767d54c2 5 bytes JMP 00000001009b0c0c .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767d55e2 5 bytes JMP 00000001009b0e10 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000767d567c 5 bytes JMP 00000001009b01f8 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000767d589f 5 bytes JMP 00000001009b03fc .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000767d5a22 5 bytes JMP 00000001009b0600 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000a01401 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000a01419 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000a01431 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000000a0144a 2 bytes [A0, 00] .text ... * 9 .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000000a014dd 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000000a014f5 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000000a0150d 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000a01525 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000000a0153d 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000a01555 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000000a0156d 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000a01585 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000000a0159d 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000000a015b5 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000000a015cd 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000000a016b2 2 bytes [A0, 00] .text C:\Users\Adrian\AppData\Local\Google\Chrome\Application\chrome.exe[4040] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000000a016bd 2 bytes [A0, 00] .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076fb13c0 5 bytes JMP 0000000077110440 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076fb1410 5 bytes JMP 0000000077110430 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076fb15c0 1 byte JMP 0000000077110450 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076fb15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076fb15d0 5 bytes JMP 00000000771103b0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076fb1680 5 bytes JMP 0000000077110320 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076fb16b0 5 bytes JMP 0000000077110380 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076fb1710 5 bytes JMP 00000000771102e0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076fb1760 5 bytes JMP 0000000077110410 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076fb1790 5 bytes JMP 00000000771102d0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076fb17b0 5 bytes JMP 0000000077110310 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076fb17f0 5 bytes JMP 0000000077110390 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076fb1840 5 bytes JMP 00000000771103c0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076fb19a0 1 byte JMP 0000000077110230 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076fb19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076fb1b60 5 bytes JMP 0000000077110460 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076fb1b90 5 bytes JMP 0000000077110370 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076fb1c70 5 bytes JMP 00000000771102f0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076fb1c80 5 bytes JMP 0000000077110350 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076fb1ce0 5 bytes JMP 0000000077110290 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076fb1d70 5 bytes JMP 00000000771102b0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076fb1d90 5 bytes JMP 00000000771103a0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076fb1da0 1 byte JMP 0000000077110330 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076fb1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076fb1e10 5 bytes JMP 00000000771103e0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076fb1e40 5 bytes JMP 0000000077110240 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076fb2100 5 bytes JMP 00000000771101e0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076fb21c0 1 byte JMP 0000000077110250 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076fb21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076fb21f0 5 bytes JMP 0000000077110470 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076fb2200 5 bytes JMP 0000000077110480 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076fb2230 5 bytes JMP 0000000077110300 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076fb2240 5 bytes JMP 0000000077110360 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076fb22a0 5 bytes JMP 00000000771102a0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076fb22f0 5 bytes JMP 00000000771102c0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076fb2330 5 bytes JMP 0000000077110340 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076fb2620 5 bytes JMP 0000000077110420 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076fb2820 5 bytes JMP 0000000077110260 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076fb2830 5 bytes JMP 0000000077110270 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076fb2840 1 byte JMP 00000000771103d0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076fb2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076fb2a00 5 bytes JMP 00000000771101f0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076fb2a10 5 bytes JMP 0000000077110210 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076fb2a80 5 bytes JMP 0000000077110200 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076fb2ae0 5 bytes JMP 00000000771103f0 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076fb2af0 5 bytes JMP 0000000077110400 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076fb2b00 5 bytes JMP 0000000077110220 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076fb2be0 5 bytes JMP 0000000077110280 .text C:\Windows\system32\AUDIODG.EXE[3620] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076b2eecd 1 byte [62] .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007715faa0 5 bytes JMP 00000001001c0600 .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007715fb38 5 bytes JMP 00000001001c0804 .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007715fc90 5 bytes JMP 00000001001c0c0c .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 000000007715ff84 5 bytes JMP 00000001001c0e10 .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077160018 5 bytes JMP 00000001001c0a08 .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007717c45a 5 bytes JMP 00000001001c01f8 .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077181217 5 bytes JMP 00000001001c03fc .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075a0a30a 1 byte [62] .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007641ee09 5 bytes JMP 00000001002701f8 .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076423982 5 bytes JMP 00000001002703fc .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076427603 5 bytes JMP 0000000100270804 .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007642835c 5 bytes JMP 0000000100270600 .text C:\Users\Adrian\Downloads\jb2g1ck1.exe[3448] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007643f52b 5 bytes JMP 0000000100270a08 ---- Kernel IAT/EAT - GMER 2.0 ---- IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [fffff8800109ced8] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [fffff8800109cc7c] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [fffff8800109d658] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [fffff8800109da54] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [fffff8800109d8b0] \SystemRoot\System32\Drivers\sptd.sys [.text] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortCopyMemory] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortGetPhysicalAddress] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortReadRegisterUlong] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortInitializeEx] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortDeviceStateChange] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortEtwTraceLog] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortRegistryFreeBuffer] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortGetBusData] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortRegistryRead] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortRequestCallback] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortStallExecution] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortGetUnCachedExtension] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortReadRegisterUchar] [ff3320ec83485718] [unknown section] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortBuildRequestSenseIrb] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortReleaseRequestSenseIrb] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortCompleteRequest] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortNotification] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortGetDeviceBase] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortGetScatterGatherList] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortRegistryAllocateBuffer] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[PCIIDEX.SYS!AtaPortWriteRegisterUlong] [?] IAT C:\Windows\System32\Drivers\aouhdysi.SYS[NTOSKRNL.exe!KeBugCheckEx] [fffa5fe8cb8b48ff] [unknown section] ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef91c2750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef91c2b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef91c7de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef91c8130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef91c1908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef91c1c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef91c81d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef91c2878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef91c7a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef91c6c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef91c77bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef91c7064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef91c6544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1872] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef91c5e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Devices - GMER 2.0 ---- Device \Driver\aouhdysi \Device\Scsi\aouhdysi1 Device \Driver\aouhdysi \Device\Scsi\aouhdysi1Port1Path0Target0Lun0 Device \FileSystem\Ntfs \Ntfs Device \Driver\NetBT \Device\NetBT_Tcpip_{07BDF19A-1DCD-45C1-9CB6-72ABDC4E8AFD} ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbehci \Device\USBFDO-7 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBPDO-5 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBFDO-3 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBPDO-1 ws\system32\DRIVERS\kbdclass.sys Device \Driver\cdrom \Device\CdRom0 ws\system32\DRIVERS\kbdclass.sys Device \Driver\cdrom \Device\CdRom1 ws\system32\DRIVERS\kbdclass.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{FF9E614F-ED0E-46E5-9637-B4B7699BA2EB} ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBPDO-6 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBFDO-4 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBFDO-0 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbehci \Device\USBPDO-2 ws\system32\DRIVERS\kbdclass.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{E4AFCFD0-3D01-4170-AF42-0D934FA55C9D} ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbehci \Device\USBPDO-7 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBFDO-5 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBPDO-3 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBFDO-1 ws\system32\DRIVERS\kbdclass.sys Device \Driver\NetBT \Device\NetBt_Wins_Export ws\system32\DRIVERS\kbdclass.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{D8467B1F-E955-4F20-B883-D099FF07A33E} ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBFDO-6 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbuhci \Device\USBPDO-4 ws\system32\DRIVERS\kbdclass.sys Device \Driver\usbehci \Device\USBFDO-2 Device \Driver\usbuhci \Device\USBPDO-0 Device \Driver\aouhdysi \Device\ScsiPort1 ---- Modules - GMER 2.0 ---- Module \SystemRoot\System32\Drivers\aouhdysi.SYS fffff8800f200000-fffff8800f24d000 (315392 bytes) ---- Threads - GMER 2.0 ---- Thread [1124:1180] 0000000077192e25 Thread [1124:1184] 000000007445345e Thread [1124:1196] 00000000767d7587 Thread [1124:1280] 0000000073ae63e0 Thread [1124:1284] 0000000073ae5d00 Thread [1124:1324] 000000007445345e Thread [1124:2020] 000000007445345e Thread [1124:996] 0000000073adbad0 Thread [1124:1296] 0000000073adbad0 Thread [1124:1500] 0000000073adbad0 Thread [1124:1504] 0000000073adc8d0 Thread [1124:1556] 0000000073adc330 Thread [1124:1616] 0000000073af76d0 Thread [1124:1352] 0000000073af64b0 Thread [1124:1656] 0000000073af6880 Thread [1124:1348] 0000000073ade190 Thread [1124:1332] 0000000073ade190 Thread [1124:1340] 0000000073ade190 Thread [1124:1336] 00000000739d12f0 Thread [1124:1328] 00000000739d2b70 Thread [1124:1660] 00000000739d2b70 Thread [1124:1688] 00000000733a1070 Thread [1124:1888] 000000007445345e Thread [1124:1884] 000000007445345e Thread [1124:1476] 00000000732b12f0 Thread [1124:1472] 0000000073291000 Thread [1124:1448] 0000000073ae6f20 Thread [1124:1444] 0000000073addd10 Thread [1124:1936] 000000007445345e Thread [1124:1076] 0000000073be4f10 Thread [1124:1104] 00000000733a16a0 Thread [1124:1108] 0000000073136020 Thread [1124:1008] 0000000073291280 Thread [1124:892] 0000000073d33970 Thread [1124:316] 000000007445345e Thread [1124:668] 0000000073d37d80 Thread [1124:712] 0000000073d3fec0 Thread [1124:692] 0000000073d424b0 Thread [1124:752] 0000000073d38870 Thread [1124:2052] 0000000077193e45 Thread [1124:2056] 0000000073001670 Thread [1124:2060] 0000000073d3a580 Thread [1124:2064] 0000000073d3a580 Thread [1124:2068] 0000000073001840 Thread [1124:2072] 0000000073d3e060 Thread [1124:2080] 0000000077193e45 Thread [1124:2116] 0000000073d428d0 Thread [1124:2120] 000000007445345e Thread [1124:2124] 0000000072e752c9 Thread [1124:2136] 00000000744532ce Thread [1124:2140] 00000000744532ce Thread [1124:2144] 00000000744532ce Thread [1124:2148] 00000000744532ce Thread [1124:2152] 00000000744532ce Thread [1124:2156] 00000000744532ce Thread [1124:2160] 00000000744532ce Thread [1124:2164] 00000000744532ce Thread [1124:2168] 00000000744532ce Thread [1124:2172] 00000000744532ce Thread [1124:2176] 00000000744532ce Thread [1124:1672] 0000000077193e45 Thread [1124:1644] 0000000077193e45 Thread [1124:3640] 0000000073f562ee Thread D:\xampp\mysql\bin\mysqld.exe [1732:1756] 0000000077192e25 Thread D:\xampp\mysql\bin\mysqld.exe [1732:1768] 00000000767d7587 Thread D:\xampp\mysql\bin\mysqld.exe [1732:2688] 0000000077193e45 ---- Processes - GMER 2.0 ---- Library ? (*** suspicious ***) @ [1124] 0000000000f40000 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c243bb Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c243bb@64a76950976e 0xEC 0x1E 0x39 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c243bb@a87e336e2f9e 0xF8 0x76 0x3C 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c243bb@6c0e0d6e67c0 0x7C 0xCF 0x03 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x02 0xF7 0x50 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4D 0x35 0xBE 0xB9 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE1 0x23 0x13 0x5B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c243bb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c243bb@64a76950976e 0xEC 0x1E 0x39 0x38 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c243bb@a87e336e2f9e 0xF8 0x76 0x3C 0x84 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c243bb@6c0e0d6e67c0 0x7C 0xCF 0x03 0x6B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x02 0xF7 0x50 0xCD ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4D 0x35 0xBE 0xB9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE1 0x23 0x13 0x5B ... ---- Files - GMER 2.0 ---- File C:\ProgramData\IObit\Protected Folder\config.ini 139 bytes File C:\ProgramData\IObit\Protected Folder\drawposs.db 21 bytes File C:\ProgramData\IObit\Protected Folder\fstile.cds 2 bytes ---- EOF - GMER 2.0 ----