GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-07 11:45:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC38 465,76GB Running: rjf5zst3.exe; Driver: C:\Users\Janeczek\AppData\Local\Temp\pxddqfow.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\csrss.exe[564] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001003a075c .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001003a03a4 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001003a0b14 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001003a0ecc .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001003a1284 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\wininit.exe[648] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000772f6ef0 6 bytes {JMP QWORD [RIP+0x90e9140]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000772f8184 6 bytes {JMP QWORD [RIP+0x91c7eac]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SetParent 00000000772f8530 6 bytes {JMP QWORD [RIP+0x9107b00]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!UnhookWinEvent 00000000772f8550 5 bytes JMP 000000010045075c .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!PostMessageA 00000000772fa404 6 bytes {JMP QWORD [RIP+0x8ea5c2c]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!EnableWindow 00000000772faaa0 6 bytes {JMP QWORD [RIP+0x9205590]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!MoveWindow 00000000772faad0 6 bytes {JMP QWORD [RIP+0x9125560]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000772fc720 6 bytes {JMP QWORD [RIP+0x90c3910]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000772fcd50 6 bytes {JMP QWORD [RIP+0x91a32e0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000772fd2b0 6 bytes {JMP QWORD [RIP+0x8ee2d80]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendMessageA 00000000772fd338 6 bytes {JMP QWORD [RIP+0x8f22cf8]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 00000000772fd440 5 bytes JMP 0000000100451284 .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000772fdc40 6 bytes {JMP QWORD [RIP+0x90023f0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000772ff510 6 bytes {JMP QWORD [RIP+0x91e0b20]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000772ff874 5 bytes JMP 0000000100450ecc .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000772ffac0 6 bytes {JMP QWORD [RIP+0x8f80570]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077300b74 6 bytes {JMP QWORD [RIP+0x8eff4bc]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077304d4c 5 bytes JMP 00000001004503a4 .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!GetKeyState 0000000077305010 6 bytes {JMP QWORD [RIP+0x909b020]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077305438 6 bytes {JMP QWORD [RIP+0x8fbabf8]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendMessageW 0000000077306b50 6 bytes {JMP QWORD [RIP+0x8f394e0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!PostMessageW 00000000773076e4 6 bytes {JMP QWORD [RIP+0x8eb894c]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007730dd90 6 bytes {JMP QWORD [RIP+0x90322a0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!GetClipboardData 000000007730e874 6 bytes {JMP QWORD [RIP+0x91717bc]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007730f780 6 bytes {JMP QWORD [RIP+0x91308b0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773128e4 6 bytes {JMP QWORD [RIP+0x8fcd74c]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!mouse_event 0000000077313894 6 bytes {JMP QWORD [RIP+0x8ddc79c]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077318a10 6 bytes {JMP QWORD [RIP+0x9067620]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077318be0 6 bytes {JMP QWORD [RIP+0x8f47450]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077318c20 5 bytes JMP 0000000100450b14 .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendInput 0000000077318cd0 6 bytes {JMP QWORD [RIP+0x9047360]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!BlockInput 000000007731ad60 6 bytes {JMP QWORD [RIP+0x91452d0]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000773414e0 6 bytes {JMP QWORD [RIP+0x91deb50]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!keybd_event 00000000773645a4 6 bytes {JMP QWORD [RIP+0x8d6ba8c]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007736cc08 6 bytes {JMP QWORD [RIP+0x8fb3428]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007736df18 6 bytes {JMP QWORD [RIP+0x8f32118]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\wininit.exe[648] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\csrss.exe[668] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010028075c .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002803a4 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100280b14 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100280ecc .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100281284 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[724] C:\Windows\system32\USER32.dll!UnhookWinEvent 00000000772f8550 5 bytes JMP 00000001003e075c .text C:\Windows\system32\winlogon.exe[724] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 00000000772fd440 5 bytes JMP 00000001003e1284 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000772ff874 5 bytes JMP 00000001003e0ecc .text C:\Windows\system32\winlogon.exe[724] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000077304d4c 5 bytes JMP 00000001003e03a4 .text C:\Windows\system32\winlogon.exe[724] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077318c20 5 bytes JMP 00000001003e0b14 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010018075c .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100181284 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\services.exe[748] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\services.exe[748] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\services.exe[748] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\services.exe[748] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4e6bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\services.exe[748] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!RegisterRawInputDevices 00000000772f6ef0 6 bytes {JMP QWORD [RIP+0x90b9140]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SystemParametersInfoA 00000000772f8184 6 bytes {JMP QWORD [RIP+0x9197eac]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SetParent 00000000772f8530 6 bytes {JMP QWORD [RIP+0x90d7b00]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!PostMessageA 00000000772fa404 6 bytes {JMP QWORD [RIP+0x8e75c2c]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!EnableWindow 00000000772faaa0 6 bytes {JMP QWORD [RIP+0x91d5590]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!MoveWindow 00000000772faad0 6 bytes {JMP QWORD [RIP+0x90f5560]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!GetAsyncKeyState 00000000772fc720 6 bytes {JMP QWORD [RIP+0x9093910]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!RegisterHotKey 00000000772fcd50 6 bytes {JMP QWORD [RIP+0x91732e0]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!PostThreadMessageA 00000000772fd2b0 6 bytes {JMP QWORD [RIP+0x8eb2d80]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendMessageA 00000000772fd338 6 bytes {JMP QWORD [RIP+0x8ef2cf8]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendNotifyMessageW 00000000772fdc40 6 bytes {JMP QWORD [RIP+0x8fd23f0]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SystemParametersInfoW 00000000772ff510 6 bytes {JMP QWORD [RIP+0x91b0b20]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SetWindowsHookExW 00000000772ff874 6 bytes {JMP QWORD [RIP+0x8e307bc]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendMessageTimeoutW 00000000772ffac0 6 bytes {JMP QWORD [RIP+0x8f50570]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!PostThreadMessageW 0000000077300b74 6 bytes {JMP QWORD [RIP+0x8ecf4bc]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SetWinEventHook + 1 0000000077304d4d 5 bytes {JMP QWORD [RIP+0x8e4b2e4]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!GetKeyState 0000000077305010 6 bytes {JMP QWORD [RIP+0x906b020]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendMessageCallbackW 0000000077305438 6 bytes {JMP QWORD [RIP+0x8f8abf8]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendMessageW 0000000077306b50 6 bytes {JMP QWORD [RIP+0x8f094e0]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!PostMessageW 00000000773076e4 6 bytes {JMP QWORD [RIP+0x8e8894c]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendDlgItemMessageW 000000007730dd90 6 bytes {JMP QWORD [RIP+0x90022a0]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!GetClipboardData 000000007730e874 6 bytes {JMP QWORD [RIP+0x91417bc]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SetClipboardViewer 000000007730f780 6 bytes {JMP QWORD [RIP+0x91008b0]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendNotifyMessageA 00000000773128e4 6 bytes {JMP QWORD [RIP+0x8f9d74c]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!mouse_event 0000000077313894 6 bytes {JMP QWORD [RIP+0x8ddc79c]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!GetKeyboardState 0000000077318a10 6 bytes {JMP QWORD [RIP+0x9037620]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendMessageTimeoutA 0000000077318be0 6 bytes {JMP QWORD [RIP+0x8f17450]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000077318c20 6 bytes {JMP QWORD [RIP+0x8df7410]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendInput 0000000077318cd0 6 bytes {JMP QWORD [RIP+0x9017360]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!BlockInput 000000007731ad60 6 bytes {JMP QWORD [RIP+0x91152d0]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!ExitWindowsEx 00000000773414e0 6 bytes {JMP QWORD [RIP+0x91aeb50]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!keybd_event 00000000773645a4 6 bytes {JMP QWORD [RIP+0x8d6ba8c]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendDlgItemMessageA 000000007736cc08 6 bytes {JMP QWORD [RIP+0x8f83428]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\USER32.dll!SendMessageCallbackA 000000007736df18 6 bytes {JMP QWORD [RIP+0x8f02118]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\services.exe[748] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010020075c .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002003a4 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100200b14 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100200ecc .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100201284 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\lsass.exe[756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\lsass.exe[756] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff12a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001001d075c .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001001d0b14 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001001d1284 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\lsm.exe[768] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\lsm.exe[768] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010021075c .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002103a4 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100210b14 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100210ecc .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100211284 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4e6bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010038075c .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001003803a4 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100380b14 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100380ecc .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100381284 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4e6bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[984] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff12a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010035075c .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001003503a4 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100350b14 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100350ecc .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100351284 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\svchost.exe[968] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff12a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010028075c .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002803a4 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100280b14 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100280ecc .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100281284 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 0A] .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0E] .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0xa7668]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xe6cec]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\atiesrxx.exe[1048] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x15ac20]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010015075c .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001503a4 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100150b14 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100150ecc .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100151284 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\System32\svchost.exe[1080] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1080] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010012075c .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001203a4 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100120b14 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100120ecc .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100121284 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\System32\svchost.exe[1116] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\svchost.exe[1116] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff12a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001000a075c .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001000a03a4 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001000a0b14 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001000a0ecc .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001000a1284 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4e6bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff12a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 6 bytes {JMP QWORD [RIP+0x87ac550]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d0ea60]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e2e9f0]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e4e910]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c6e840]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c8e7f0]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e0e7d0]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ece5e0]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d2e400]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e6e2b0]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eae2a0]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e8dea0]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\AUDIODG.EXE[1216] C:\Windows\System32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001002a075c .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002a03a4 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001002a0b14 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001002a0ecc .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001002a1284 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\svchost.exe[1268] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1268] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010041075c .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001004103a4 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a30380 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x876ec30]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a30370 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100410b14 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100410ecc .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a30390 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d5ea60]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e7e9f0]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a30320 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e9e910]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cbe840]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100411284 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cde7f0]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e5e7d0]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a30230 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x16e890} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f1e5e0]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a303a0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d7e400]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8ebe2b0]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8efe2a0]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a30330 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x16e590} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8eddea0]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a30250 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x16e090} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a303b0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a303c0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a30300 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a30360 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a30340 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a30260 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a30270 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8965c10]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x890e4e0]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88b7820]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 0A] .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0E] .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0xa7668]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xe6cec]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\atieclxx.exe[1324] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x15ac20]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010019075c .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001903a4 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100190b14 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100190ecc .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100191284 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 0A] .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0E] .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0x15dd64]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x17db70]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x19a450]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0xa7668]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0x136cec]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x1e4648]} .text C:\Windows\System32\spoolsv.exe[1880] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x1aac20]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010011075c .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001103a4 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100110b14 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100110ecc .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100111284 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\svchost.exe[1912] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\RPCRT4.dll!RpcServerRegisterIfEx 000007feff4e6bd0 6 bytes {JMP QWORD [RIP+0x109460]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1912] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff12a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010039075c .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001003903a4 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100390b14 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100390ecc .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100391284 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[2040] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010041075c .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001004103a4 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100410b14 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100410ecc .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100411284 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001003f075c .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001003f03a4 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001003f0b14 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001003f0ecc .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001003f1284 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[1796] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001002b075c .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002b03a4 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a30380 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a30370 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001002b0b14 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001002b0ecc .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a30390 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a30320 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a302e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a302d0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a30310 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001002b1284 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a30230 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x16e890} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a303a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a302f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a30350 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a30290 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a302b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a30330 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x16e590} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a30240 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a301e0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a30250 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x16e090} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a303b0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a303c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a30300 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a30360 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a302a0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a302c0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a30340 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a30260 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a30270 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a301f0 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a30210 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a30200 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a30220 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a30280 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 27] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 2B] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0x1edd64]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x20db70]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x22a450]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0x197c98]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x177668]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0x1b6cec]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x264648]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x23ac20]} .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010029075c .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002903a4 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100290b14 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100290ecc .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100291284 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[2088] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100080600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100080804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [FE, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes JMP 00000000cc34c6bd .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [EF, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [E6, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F2, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0A, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100080a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [07, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EC, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DA, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [0D, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FB, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E3, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [DD, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [F8, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E0, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F5, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [04, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [01, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001000801f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001000803fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100171014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100170804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100170a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100170c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100170e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001001701f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001001703fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamscheduler.exe[2128] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100170600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100080600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100080804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [FE, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes JMP 00000000cc34c6bd .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [EF, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [E6, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F2, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0A, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100080a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [07, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EC, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DA, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [0D, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FB, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E3, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [DD, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [F8, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E0, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F5, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [04, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [01, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001000801f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001000803fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100171014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100170804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100170a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100170c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100170e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001001701f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001001703fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100170600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7116001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 00000001001801f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [1C, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [2B, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7113001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [28, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 00000001001803fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7119001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100180804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100180600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [25, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [37, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100180a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [3A, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7110001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x7176001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [22, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [2E, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075191401 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075191419 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075191431 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007519144a 2 bytes [19, 75] .text ... * 9 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751914dd 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751914f5 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007519150d 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075191525 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007519153d 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075191555 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007519156d 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075191585 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007519159d 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751915b5 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751915cd 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751916b2 2 bytes [19, 75] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2192] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751916bd 2 bytes [19, 75] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [FE, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes JMP 00000000cc34c6bd .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [EF, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [E6, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F2, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0A, 71] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [07, 71] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EC, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DA, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [0D, 71] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FB, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E3, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [DD, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [F8, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E0, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F5, 70] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [04, 71] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [01, 71] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe[2216] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100250600 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 6 bytes {JMP QWORD [RIP+0x87ac550]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a30380 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a30370 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a30390 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d0ea60]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e2e9f0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a30320 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a302e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e4e910]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a302d0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a30310 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c6e840]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c8e7f0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e0e7d0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a30230 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x16e890} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ece5e0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a303a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d2e400]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a302f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a30350 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a30290 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a302b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e6e2b0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eae2a0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a30330 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x16e590} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a30240 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a301e0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e8dea0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a30250 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x16e090} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a303b0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a303c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a30300 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a30360 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a302a0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a302c0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a30340 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a30260 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a30270 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a301f0 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a30210 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a30200 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a30220 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\KERNEL32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8945c10]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\KERNEL32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88ee4e0]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\KERNEL32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x8897820]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 00000001001b0600 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 00000001001b0804 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [FE, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes JMP 00000000cc34c6bd .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [EF, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [E6, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F2, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0A, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 00000001001b0a08 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [07, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EC, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DA, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [0D, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FB, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E3, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [DD, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [F8, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E0, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F5, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [04, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [01, 71] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001001b01f8 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001001b03fc .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100241014 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100240804 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100240a08 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100240c0c .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100240e10 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001002401f8 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001002403fc .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100240600 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000739c17fa 2 bytes [9C, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000739c1860 2 bytes [9C, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000739c1942 2 bytes [9C, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000739c194d 2 bytes [9C, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075191401 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075191419 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075191431 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007519144a 2 bytes [19, 75] .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751914dd 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751914f5 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007519150d 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075191525 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007519153d 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075191555 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007519156d 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075191585 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007519159d 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751915b5 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751915cd 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751916b2 2 bytes [19, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751916bd 2 bytes [19, 75] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [FE, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes JMP 00000000cc34c6bd .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [EF, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [E6, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F2, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0A, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [07, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EC, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DA, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [0D, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FB, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E3, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [DD, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [F8, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E0, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F5, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [04, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [01, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7116001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [1C, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [2B, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7113001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [28, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7119001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [25, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [37, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [3A, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7110001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x7176001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [22, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [2E, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsAuxs.exe[2372] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 00000001001b0600 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 00000001001b0804 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [FE, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes JMP 00000000cc34c6bd .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [EF, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [E6, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F2, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0A, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 00000001001b0a08 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [07, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EC, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DA, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [0D, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FB, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E3, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [DD, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [F8, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E0, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F5, 70] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [04, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [01, 71] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001001b01f8 .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001001b03fc .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\syswow64\kernel32.dll!CreateThread + 28 0000000076ef34d1 4 bytes {CALL 0xffffffff8955cc30} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Program Files (x86)\PC Tools\PC Tools Security\pctsSvc.exe[2424] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001002b075c .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002b03a4 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001002b0b14 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001002b0ecc .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001002b1284 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[2568] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010024075c .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002403a4 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100240b14 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100240ecc .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100241284 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\svchost.exe[2652] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001003b075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001003b03a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a30380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a30370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001003b0b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001003b0ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a30390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a30320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a302e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a302d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a30310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001003b1284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a30230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x16e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a303a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a302f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a30350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a30290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a302b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a30330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x16e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a30240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a301e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a30250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x16e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a303b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a303c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a30300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a30360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a302a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a302c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a30340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a30260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a30270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a301f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a30210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a30200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a30220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a30280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 25] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff12a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0x1bdd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x1edb70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x20a450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0x177c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x157668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0x196cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x244648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x21ac20]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001001d075c .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001001d0b14 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001001d1284 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskhost.exe[2792] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100080600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100080804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [FE, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes JMP 00000000cc34c6bd .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [EF, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [E6, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F2, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0A, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100080a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [07, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EC, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DA, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [0D, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FB, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E3, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [DD, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [F8, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E0, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F5, 70] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [04, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [01, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001000801f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001000803fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7116001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 00000001001301f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [1C, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [2B, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7113001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [28, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 00000001001303fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7119001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100130804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100130600 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [25, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [37, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100130a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [3A, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7110001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x7176001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [22, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [2E, 71] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100181014 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100180804 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100180a08 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100180c0c .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100180e10 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001001801f8 .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001001803fc .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe[2944] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100180600 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001001b075c .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001b03a4 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001001b0b14 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001001b0ecc .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001001b1284 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\Dwm.exe[3488] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010043075c .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001004303a4 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100430b14 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100430ecc .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100431284 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 0A] .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0E] .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\Explorer.EXE[3628] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0x18dd64]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x1adb70]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x1da450]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0x147c98]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x127668]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0x166cec]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x214648]} .text C:\Windows\Explorer.EXE[3628] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x1eac20]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010023075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002303a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a30380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a30370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100230b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100230ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a30390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a30320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a302e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a302d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a30310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100231284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a30230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x16e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a303a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a302f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a30350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a30290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a302b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a30330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x16e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a30240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a301e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a30250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x16e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a303b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a303c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a30300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a30360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a302a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a302c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a30340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a30260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a30270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a301f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a30210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a30200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a30220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a30280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0x16dd64]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x18db70]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x1aa450]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0x127c98]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x107668]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0x146cec]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x1f4648]} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x1cac20]} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010031075c .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001003103a4 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a20380 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a20370 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 000000016fff00d8 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100310ecc .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a20390 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a20320 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a202e0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a202d0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a20310 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100311284 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a20230 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a203a0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a202f0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a20350 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a20290 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a202b0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a20330 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a20240 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a201e0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a20250 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a203b0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a203c0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a20300 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a20360 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a202a0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a202c0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a20340 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a20260 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a20270 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a201f0 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a20210 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a20200 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a20220 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a20280 .text C:\Program Files\COMODO\COMODO Internet Security\cavwp.exe[3116] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [FE, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes JMP 00000000cc34c6bd .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [EF, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [E6, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F2, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0A, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [07, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EC, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DA, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [0D, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FB, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E3, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [DD, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [F8, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E0, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F5, 70] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [04, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [01, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7116001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [1C, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [2B, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7113001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [28, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7119001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [25, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [37, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [3A, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7110001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x7176001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [22, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [2E, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759858b3 6 bytes {JMP QWORD [RIP+0x7185001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075985ea6 6 bytes {JMP QWORD [RIP+0x7182001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075987bcc 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007598b895 6 bytes {JMP QWORD [RIP+0x7179001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007598c332 6 bytes {JMP QWORD [RIP+0x717f001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007598cbfb 6 bytes {JMP QWORD [RIP+0x7188001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007598e743 6 bytes {JMP QWORD [RIP+0x718b001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000759b4646 6 bytes {JMP QWORD [RIP+0x717c001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM.exe[2820] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [FE, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes JMP 00000000cc34c6bd .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [EF, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [E6, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F2, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0A, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [07, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EC, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DA, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [0D, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FB, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E3, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [DD, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [F8, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E0, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F5, 70] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [04, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [01, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7194001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7116001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [1C, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [2B, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7113001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [28, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7119001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [25, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x713d001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7131001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [37, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [3A, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x711f001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7110001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x7176001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [22, 71] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3448] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [2E, 71] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001003b075c .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001003b03a4 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001003b0b14 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001003b0ecc .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001003b1284 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0x16dd64]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x18db70]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x1aa450]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0x127c98]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x107668]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0x146cec]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x1f4648]} .text C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x1cac20]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010029075c .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002903a4 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100290b14 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100290ecc .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100291284 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\taskeng.exe[3964] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 6 bytes {JMP QWORD [RIP+0x87ac550]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 5 bytes JMP 0000000077a30380 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 0000000077a30370 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 0000000077a30390 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d0ea60]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e2e9f0]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 0000000077a30320 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 0000000077a302e0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e4e910]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 0000000077a302d0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 0000000077a30310 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c6e840]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c8e7f0]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e0e7d0]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 0000000077a30230 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x16e890} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ece5e0]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 0000000077a303a0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d2e400]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 0000000077a302f0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 0000000077a30350 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 0000000077a30290 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 0000000077a302b0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e6e2b0]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eae2a0]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 0000000077a30330 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x16e590} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 0000000077a30240 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 0000000077a301e0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e8dea0]} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 0000000077a30250 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x16e090} .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 0000000077a303b0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 0000000077a303c0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 0000000077a30300 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 0000000077a30360 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 0000000077a302a0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 0000000077a302c0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 0000000077a30340 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 0000000077a30260 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 0000000077a30270 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 0000000077a301f0 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 0000000077a30210 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 0000000077a30200 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 0000000077a30220 .text C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 0000000077a30280 .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 00000001001a075c .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001a03a4 .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 00000001001a0b14 .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 00000001001a0ecc .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8dfe9f0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 6 bytes {JMP QWORD [RIP+0x8dbe9b0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e1e910]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 6 bytes {JMP QWORD [RIP+0x8d9e880]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c9e840]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 00000001001a1284 .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cbe7f0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8dde7d0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8e9e5e0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 6 bytes {JMP QWORD [RIP+0x8c7e4d0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e3e2b0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8e7e2a0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 6 bytes {JMP QWORD [RIP+0x8d5df30]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 4 bytes [FF, 25, A0, DE] .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject + 5 00000000778c2195 1 byte [08] .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 6 bytes {JMP QWORD [RIP+0x8d7d630]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 6 bytes {JMP QWORD [RIP+0x8cdd5b0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 6 bytes {JMP QWORD [RIP+0x8cfd530]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\SearchIndexer.exe[656] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010028075c .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001002803a4 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100280b14 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100280ecc .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d4ea60]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e6e9f0]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e8e910]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8cae840]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100281284 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8cce7f0]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e4e7d0]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8f0e5e0]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d6e400]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8eae2b0]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8eee2a0]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8ecdea0]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 0A] .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0E] .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0x10dd64]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x12db70]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x14a450]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xc7c98]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0xa7668]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xe6cec]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x184648]} .text C:\Windows\system32\WUDFHost.exe[4924] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x15ac20]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010016075c .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001001603a4 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100160b14 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100160ecc .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100161284 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\System32\svchost.exe[4996] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Windows\System32\svchost.exe[4996] C:\Windows\system32\ADVAPI32.dll!CreateProcessAsUserA 000007feff12a1a0 6 bytes {JMP QWORD [RIP+0xb5e90]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100080600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100080804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [0E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [FF, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [F6, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [02, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [1A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100080a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [17, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [EA, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [1D, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [0B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [ED, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [08, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [05, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [14, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [11, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001000801f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001000803fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759858b3 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075985ea6 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075987bcc 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007598b895 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007598c332 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007598cbfb 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007598e743 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000759b4646 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [2C, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [3B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [38, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [35, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [47, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [4A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [32, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [3E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075191401 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075191419 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075191431 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007519144a 2 bytes [19, 75] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751914dd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751914f5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007519150d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075191525 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007519153d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075191555 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007519156d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075191585 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007519159d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751915b5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751915cd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751916b2 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4776] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751916bd 2 bytes [19, 75] ? C:\Windows\system32\mssprxy.dll [4776] entry point in ".rdata" section 00000000705671e6 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a6f991 7 bytes {MOV EDX, 0x1009a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000101010600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000101010804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a6fbd5 7 bytes {MOV EDX, 0x1009a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a6fc05 7 bytes {MOV EDX, 0x10099a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a6fc1d 7 bytes {MOV EDX, 0x1009928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a6fc35 7 bytes {MOV EDX, 0x1009b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a6fc65 7 bytes {MOV EDX, 0x1009b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [0E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a6fce5 7 bytes {MOV EDX, 0x1009ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a6fcfd 7 bytes {MOV EDX, 0x1009aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a6fd49 7 bytes {MOV EDX, 0x1009868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [FF, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a6fe41 7 bytes {MOV EDX, 0x10098a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [02, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [1A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000101010a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [17, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a70099 7 bytes {MOV EDX, 0x1009828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [1D, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [0B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [08, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [F6, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a710a5 7 bytes {MOV EDX, 0x10099e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a7111d 7 bytes {MOV EDX, 0x1009968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a71321 7 bytes {MOV EDX, 0x10098e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [05, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [14, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [11, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001010101f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001010103fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759858b3 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075985ea6 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075987bcc 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007598b895 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007598c332 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007598cbfb 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007598e743 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000759b4646 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 00000001010601f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [2C, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [3B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [38, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 00000001010603fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000101060804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000101060600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [35, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [47, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000101060a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [4A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [32, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [3E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000101161014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000101160804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000101160a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000101160c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000101160e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001011601f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001011603fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000101160600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075191401 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075191419 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075191431 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007519144a 2 bytes [19, 75] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751914dd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751914f5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007519150d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075191525 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007519153d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075191555 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007519156d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075191585 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007519159d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751915b5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751915cd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751916b2 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5256] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751916bd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a6f991 7 bytes {MOV EDX, 0x84e628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100860600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100860804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a6fbd5 7 bytes {MOV EDX, 0x84e668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a6fc05 7 bytes {MOV EDX, 0x84e5a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a6fc1d 7 bytes {MOV EDX, 0x84e528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a6fc35 7 bytes {MOV EDX, 0x84e728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a6fc65 7 bytes {MOV EDX, 0x84e768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [0E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a6fce5 7 bytes {MOV EDX, 0x84e6e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a6fcfd 7 bytes {MOV EDX, 0x84e6a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a6fd49 7 bytes {MOV EDX, 0x84e468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [FF, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a6fe41 7 bytes {MOV EDX, 0x84e4a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [02, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [1A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100860a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [17, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a70099 7 bytes {MOV EDX, 0x84e428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [1D, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [0B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [08, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [F6, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a710a5 7 bytes {MOV EDX, 0x84e5e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a7111d 7 bytes {MOV EDX, 0x84e568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a71321 7 bytes {MOV EDX, 0x84e4e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [05, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [14, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [11, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001008601f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001008603fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759858b3 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075985ea6 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075987bcc 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007598b895 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007598c332 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007598cbfb 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007598e743 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000759b4646 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 0000000100a301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [2C, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [3B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [38, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 0000000100a303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100a30804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100a30600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [35, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [47, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100a30a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [4A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [32, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [3E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075191401 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075191419 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075191431 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007519144a 2 bytes [19, 75] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751914dd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751914f5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007519150d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075191525 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007519153d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075191555 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007519156d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075191585 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007519159d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751915b5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751915cd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751916b2 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5396] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751916bd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a6f991 7 bytes {MOV EDX, 0x42b228; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100440600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100440804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a6fbd5 7 bytes {MOV EDX, 0x42b268; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a6fc05 7 bytes {MOV EDX, 0x42b1a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a6fc1d 7 bytes {MOV EDX, 0x42b128; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a6fc35 7 bytes {MOV EDX, 0x42b328; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a6fc65 7 bytes {MOV EDX, 0x42b368; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [0E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a6fce5 7 bytes {MOV EDX, 0x42b2e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a6fcfd 7 bytes {MOV EDX, 0x42b2a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a6fd49 7 bytes {MOV EDX, 0x42b068; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [FF, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a6fe41 7 bytes {MOV EDX, 0x42b0a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [02, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [1A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100440a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [17, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a70099 7 bytes {MOV EDX, 0x42b028; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [1D, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [0B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [08, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [F6, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a710a5 7 bytes {MOV EDX, 0x42b1e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a7111d 7 bytes {MOV EDX, 0x42b168; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a71321 7 bytes {MOV EDX, 0x42b0e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [05, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [14, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [11, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001004401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001004403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759858b3 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075985ea6 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075987bcc 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007598b895 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007598c332 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007598cbfb 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007598e743 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000759b4646 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 00000001005401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [2C, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [3B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [38, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 00000001005403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100540804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100540600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [35, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [47, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100540a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [4A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [32, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [3E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100551014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100550804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100550a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100550c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100550e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 00000001005501f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 00000001005503fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100550600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075191401 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075191419 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075191431 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007519144a 2 bytes [19, 75] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751914dd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751914f5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007519150d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075191525 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007519153d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075191555 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007519156d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075191585 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007519159d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751915b5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751915cd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751916b2 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5544] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751916bd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a6f991 7 bytes {MOV EDX, 0xd16a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100d30600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100d30804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a6fbd5 7 bytes {MOV EDX, 0xd16a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a6fc05 7 bytes {MOV EDX, 0xd169a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a6fc1d 7 bytes {MOV EDX, 0xd16928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a6fc35 7 bytes {MOV EDX, 0xd16b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a6fc65 7 bytes {MOV EDX, 0xd16b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [0E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a6fce5 7 bytes {MOV EDX, 0xd16ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a6fcfd 7 bytes {MOV EDX, 0xd16aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a6fd49 7 bytes {MOV EDX, 0xd16868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [FF, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a6fe41 7 bytes {MOV EDX, 0xd168a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [02, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [1A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100d30a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [17, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a70099 7 bytes {MOV EDX, 0xd16828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [1D, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [0B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [08, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [F6, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a710a5 7 bytes {MOV EDX, 0xd169e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a7111d 7 bytes {MOV EDX, 0xd16968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a71321 7 bytes {MOV EDX, 0xd168e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [05, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [14, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [11, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 0000000100d301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 0000000100d303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759858b3 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075985ea6 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075987bcc 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007598b895 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007598c332 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007598cbfb 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007598e743 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000759b4646 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 0000000100d801f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [2C, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [3B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [38, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 0000000100d803fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100d80804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100d80600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [35, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [47, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100d80a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [4A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [32, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [3E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100d91014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100d90804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100d90a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100d90c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100d90e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 0000000100d901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 0000000100d903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100d90600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075191401 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075191419 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075191431 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007519144a 2 bytes [19, 75] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751914dd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751914f5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007519150d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075191525 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007519153d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075191555 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007519156d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075191585 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007519159d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751915b5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751915cd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751916b2 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751916bd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a6f991 7 bytes {MOV EDX, 0x8e2a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100900600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100900804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a6fbd5 7 bytes {MOV EDX, 0x8e2a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a6fc05 7 bytes {MOV EDX, 0x8e29a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a6fc1d 7 bytes {MOV EDX, 0x8e2928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a6fc35 7 bytes {MOV EDX, 0x8e2b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a6fc65 7 bytes {MOV EDX, 0x8e2b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [0E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a6fce5 7 bytes {MOV EDX, 0x8e2ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a6fcfd 7 bytes {MOV EDX, 0x8e2aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a6fd49 7 bytes {MOV EDX, 0x8e2868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [FF, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a6fe41 7 bytes {MOV EDX, 0x8e28a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [02, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [1A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100900a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [17, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a70099 7 bytes {MOV EDX, 0x8e2828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [1D, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [0B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [08, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [F6, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a710a5 7 bytes {MOV EDX, 0x8e29e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a7111d 7 bytes {MOV EDX, 0x8e2968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a71321 7 bytes {MOV EDX, 0x8e28e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [05, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [14, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [11, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001009001f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001009003fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759858b3 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075985ea6 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075987bcc 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007598b895 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007598c332 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007598cbfb 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007598e743 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000759b4646 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 0000000100ad01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [2C, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [3B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [38, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 0000000100ad03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100ad0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100ad0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [35, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [47, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 3 bytes JMP 0000000100ad0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx + 4 0000000075acf52f 1 byte [8B] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [4A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [32, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [3E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100ae1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100ae0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100ae0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100ae0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100ae0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 0000000100ae01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 0000000100ae03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100ae0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075191401 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075191419 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075191431 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007519144a 2 bytes [19, 75] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751914dd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751914f5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007519150d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075191525 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007519153d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075191555 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007519156d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075191585 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007519159d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751915b5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751915cd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751916b2 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[6032] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751916bd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077a6f991 7 bytes {MOV EDX, 0xa59a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 0000000100a60600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 0000000100a60804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077a6fbd5 7 bytes {MOV EDX, 0xa59a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077a6fc05 7 bytes {MOV EDX, 0xa599a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077a6fc1d 7 bytes {MOV EDX, 0xa59928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077a6fc35 7 bytes {MOV EDX, 0xa59b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077a6fc65 7 bytes {MOV EDX, 0xa59b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [0E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077a6fce5 7 bytes {MOV EDX, 0xa59ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077a6fcfd 7 bytes {MOV EDX, 0xa59aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077a6fd49 7 bytes {MOV EDX, 0xa59868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [FF, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077a6fe41 7 bytes {MOV EDX, 0xa598a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes [FC, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [02, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [1A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 0000000100a60a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [17, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077a70099 7 bytes {MOV EDX, 0xa59828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [F0, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [1D, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [0B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [F9, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [F3, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [08, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [F6, 70] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077a710a5 7 bytes {MOV EDX, 0xa599e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077a7111d 7 bytes {MOV EDX, 0xa59968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077a71321 7 bytes {MOV EDX, 0xa598e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [05, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [14, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [11, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 0000000100a601f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 0000000100a603fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x719b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7195001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x71a1001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759858b3 6 bytes {JMP QWORD [RIP+0x7189001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075985ea6 6 bytes {JMP QWORD [RIP+0x7186001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075987bcc 6 bytes {JMP QWORD [RIP+0x7192001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007598b895 6 bytes {JMP QWORD [RIP+0x717d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007598c332 6 bytes {JMP QWORD [RIP+0x7183001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007598cbfb 6 bytes {JMP QWORD [RIP+0x718c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007598e743 6 bytes {JMP QWORD [RIP+0x718f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000759b4646 6 bytes {JMP QWORD [RIP+0x7180001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x716b001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7126001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7165001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x715f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 5 bytes JMP 0000000100b201f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [2C, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7171001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7144001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [3B, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7123001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [38, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 0000000100b203fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7174001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x716e001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x7168001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x7129001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 5 bytes JMP 0000000100b20804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7153001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x7159001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7162001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 5 bytes JMP 0000000100b20600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [35, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7150001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x714d001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7141001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [47, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000100b20a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [4A, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x712f001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7120001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7177001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x717a001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x715c001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7156001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [32, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [3E, 71] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\ADVAPI32.dll!CreateProcessAsUserA 0000000076e82538 6 bytes {JMP QWORD [RIP+0x7198001e]} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000758f5181 5 bytes JMP 0000000100b31014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000758f5254 5 bytes JMP 0000000100b30804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000758f53d5 5 bytes JMP 0000000100b30a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000758f54c2 5 bytes JMP 0000000100b30c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000758f55e2 5 bytes JMP 0000000100b30e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000758f567c 5 bytes JMP 0000000100b301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000758f589f 5 bytes JMP 0000000100b303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000758f5a22 5 bytes JMP 0000000100b30600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075191401 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075191419 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075191431 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007519144a 2 bytes [19, 75] .text ... * 9 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000751914dd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000751914f5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007519150d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075191525 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007519153d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075191555 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007519156d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075191585 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007519159d 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000751915b5 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000751915cd 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000751916b2 2 bytes [19, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5876] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000751916bd 2 bytes [19, 75] .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077893ae0 5 bytes JMP 000000010043075c .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077897a90 5 bytes JMP 00000001004303a4 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000778c13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtClose 00000000778c1400 6 bytes {JMP QWORD [RIP+0x875ec30]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000778c1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000778c1490 5 bytes JMP 0000000100430b14 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000778c14f0 5 bytes JMP 0000000100430ecc .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000778c15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000778c15d0 6 bytes {JMP QWORD [RIP+0x8d1ea60]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000778c1640 6 bytes {JMP QWORD [RIP+0x8e3e9f0]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000778c1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000778c1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAdjustPrivilegesToken 00000000778c1720 6 bytes {JMP QWORD [RIP+0x8e5e910]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000778c1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778c17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778c17f0 6 bytes {JMP QWORD [RIP+0x8c7e840]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000778c1810 5 bytes JMP 0000000100431284 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00000000778c1840 6 bytes {JMP QWORD [RIP+0x8c9e7f0]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000778c1860 6 bytes {JMP QWORD [RIP+0x8e1e7d0]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000778c19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000778c19a2 3 bytes {JMP 0x872e890} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcConnectPort 00000000778c1a50 6 bytes {JMP QWORD [RIP+0x8ede5e0]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000778c1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtConnectPort 00000000778c1c30 6 bytes {JMP QWORD [RIP+0x8d3e400]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000778c1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000778c1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000778c1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000778c1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSymbolicLinkObject 00000000778c1d80 6 bytes {JMP QWORD [RIP+0x8e7e2b0]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778c1d90 6 bytes {JMP QWORD [RIP+0x8ebe2a0]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000778c1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000778c1da2 3 bytes {JMP 0x872e590} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000778c1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000778c2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778c2190 6 bytes {JMP QWORD [RIP+0x8e9dea0]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000778c21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000778c21c2 3 bytes {JMP 0x872e090} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000778c21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000778c2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000778c2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000778c2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000778c22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000778c22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000778c2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000778c2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000778c2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778c2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000778c2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000778c2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000778c2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000778c2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\kernel32.dll!CreateProcessAsUserW 000000007775a420 6 bytes {JMP QWORD [RIP+0x8955c10]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077771b50 6 bytes {JMP QWORD [RIP+0x88fe4e0]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\kernel32.dll!CreateProcessA 00000000777e8810 6 bytes {JMP QWORD [RIP+0x88a7820]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefdd8b915 3 bytes [F5, 46, 06] .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\KERNELBASE.dll!SetProcessShutdownParameters 000007fefdd967c0 5 bytes [FF, 25, 70, 98, 0A] .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff486e00 5 bytes JMP 000007ff7f4a1dac .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff486f2c 5 bytes JMP 000007ff7f4a0ecc .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff487220 5 bytes JMP 000007ff7f4a1284 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff48739c 5 bytes JMP 000007ff7f4a163c .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff487538 5 bytes JMP 000007ff7f4a19f4 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4875e8 5 bytes JMP 000007ff7f4a03a4 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff48790c 5 bytes JMP 000007ff7f4a075c .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff487ab4 5 bytes JMP 000007ff7f4a0b14 .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\GDI32.dll!DeleteDC 000007feff9c22cc 6 bytes {JMP QWORD [RIP+0xedd64]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\GDI32.dll!BitBlt 000007feff9c24c0 6 bytes {JMP QWORD [RIP+0x10db70]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\GDI32.dll!MaskBlt 000007feff9c5be0 6 bytes {JMP QWORD [RIP+0x12a450]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\GDI32.dll!CreateDCW 000007feff9c8398 6 bytes {JMP QWORD [RIP+0xa7c98]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\GDI32.dll!CreateDCA 000007feff9c89c8 6 bytes {JMP QWORD [RIP+0x87668]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\GDI32.dll!GetPixel 000007feff9c9344 6 bytes {JMP QWORD [RIP+0xc6cec]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\GDI32.dll!StretchBlt 000007feff9cb9e8 6 bytes {JMP QWORD [RIP+0x164648]} .text C:\Windows\system32\sppsvc.exe[2516] C:\Windows\system32\GDI32.dll!PlgBlt 000007feff9d5410 6 bytes {JMP QWORD [RIP+0x13ac20]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtClose 0000000077a6f9c0 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtClose + 4 0000000077a6f9c4 2 bytes [AE, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077a6faa0 5 bytes JMP 00000001001c0600 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077a6fb38 5 bytes JMP 00000001001c0804 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077a6fc90 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess + 4 0000000077a6fc94 2 bytes [01, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 0000000077a6fd44 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 4 0000000077a6fd48 2 bytes [EC, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 0000000077a6fda8 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 4 0000000077a6fdac 2 bytes [F2, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken 0000000077a6fea0 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtAdjustPrivilegesToken + 4 0000000077a6fea4 2 bytes JMP 00000000cc34c819 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 0000000077a6ff84 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 4 0000000077a6ff88 2 bytes [F5, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread 0000000077a6ffe4 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThread + 4 0000000077a6ffe8 2 bytes [0D, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077a70018 5 bytes JMP 00000001001c0a08 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread 0000000077a70064 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateThread + 4 0000000077a70068 2 bytes [0A, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 0000000077a70094 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 4 0000000077a70098 2 bytes [EF, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort 0000000077a70398 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcConnectPort + 4 0000000077a7039c 2 bytes [DD, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077a70530 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtAlpcSendWaitReceivePort + 4 0000000077a70534 2 bytes [10, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort 0000000077a70674 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtConnectPort + 4 0000000077a70678 2 bytes [FE, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject 0000000077a7086c 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateSymbolicLinkObject + 4 0000000077a70870 2 bytes [E6, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx 0000000077a70884 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtCreateThreadEx + 4 0000000077a70888 2 bytes [E0, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver 0000000077a70dd4 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtLoadDriver + 4 0000000077a70dd8 2 bytes [FB, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject 0000000077a70eb8 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 4 0000000077a70ebc 2 bytes [E3, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation 0000000077a71bc4 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemInformation + 4 0000000077a71bc8 2 bytes [F8, 70] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem 0000000077a71c94 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtShutdownSystem + 4 0000000077a71c98 2 bytes [07, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl 0000000077a71d6c 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtSystemDebugControl + 4 0000000077a71d70 2 bytes [04, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077a8c45a 5 bytes JMP 00000001001c01f8 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077a91217 5 bytes JMP 00000001001c03fc .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000076ef103d 6 bytes {JMP QWORD [RIP+0x719a001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000076ef1072 6 bytes {JMP QWORD [RIP+0x7197001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076f1a30a 1 byte [62] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\kernel32.dll!CreateProcessAsUserW 0000000076f1c9b5 6 bytes {JMP QWORD [RIP+0x7191001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\KERNELBASE.dll!SetProcessShutdownParameters 00000000769df776 6 bytes {JMP QWORD [RIP+0x719d001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 00000000769e2c91 4 bytes {CALL QWORD [RIP+0x71ac000a]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!PostThreadMessageW 0000000075aa8bff 6 bytes {JMP QWORD [RIP+0x715e001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SystemParametersInfoW 0000000075aa90d3 6 bytes {JMP QWORD [RIP+0x7119001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendMessageW 0000000075aa9679 6 bytes {JMP QWORD [RIP+0x7158001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutW 0000000075aa97d2 6 bytes {JMP QWORD [RIP+0x7152001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075aaee09 6 bytes JMP 00000001026901f8 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!RegisterHotKey 0000000075aaefc9 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!RegisterHotKey + 4 0000000075aaefcd 2 bytes [1F, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!PostMessageW 0000000075ab12a5 6 bytes {JMP QWORD [RIP+0x7164001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000075ab291f 6 bytes {JMP QWORD [RIP+0x7137001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SetParent 0000000075ab2d64 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SetParent + 4 0000000075ab2d68 2 bytes [2E, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000075ab2da4 6 bytes {JMP QWORD [RIP+0x7116001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!MoveWindow 0000000075ab3698 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!MoveWindow + 4 0000000075ab369c 2 bytes [2B, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075ab3982 5 bytes JMP 00000001026903fc .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!PostMessageA 0000000075ab3baa 6 bytes {JMP QWORD [RIP+0x7167001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!PostThreadMessageA 0000000075ab3c61 6 bytes {JMP QWORD [RIP+0x7161001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000075ab612e 6 bytes {JMP QWORD [RIP+0x715b001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SystemParametersInfoA 0000000075ab6c30 6 bytes {JMP QWORD [RIP+0x711c001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075ab7603 6 bytes JMP 0000000102690804 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendNotifyMessageW 0000000075ab7668 6 bytes {JMP QWORD [RIP+0x7146001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendMessageCallbackW 0000000075ab76e0 6 bytes {JMP QWORD [RIP+0x714c001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendMessageTimeoutA 0000000075ab781f 6 bytes {JMP QWORD [RIP+0x7155001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075ab835c 6 bytes JMP 0000000102690600 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 0000000075abc4b6 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SetClipboardViewer + 4 0000000075abc4ba 2 bytes [28, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageA 0000000075acc112 6 bytes {JMP QWORD [RIP+0x7143001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendDlgItemMessageW 0000000075acd0f5 6 bytes {JMP QWORD [RIP+0x7140001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000075aceb96 6 bytes {JMP QWORD [RIP+0x7134001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!GetKeyboardState 0000000075acec68 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!GetKeyboardState + 4 0000000075acec6c 2 bytes [3A, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075acf52b 5 bytes JMP 0000000102690a08 .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendInput 0000000075acff4a 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendInput + 4 0000000075acff4e 2 bytes [3D, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075ae9f1d 6 bytes {JMP QWORD [RIP+0x7122001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!ExitWindowsEx 0000000075af1497 6 bytes {JMP QWORD [RIP+0x7113001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!mouse_event 0000000075b0027b 6 bytes {JMP QWORD [RIP+0x7173001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!keybd_event 0000000075b002bf 6 bytes {JMP QWORD [RIP+0x7176001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendMessageCallbackA 0000000075b06cfc 6 bytes {JMP QWORD [RIP+0x714f001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!SendNotifyMessageA 0000000075b06d5d 6 bytes {JMP QWORD [RIP+0x7149001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!BlockInput 0000000075b07dd7 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!BlockInput + 4 0000000075b07ddb 2 bytes [25, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices 0000000075b088eb 3 bytes [FF, 25, 1E] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\USER32.dll!RegisterRawInputDevices + 4 0000000075b088ef 2 bytes [31, 71] .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000759858b3 6 bytes {JMP QWORD [RIP+0x7185001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\GDI32.dll!BitBlt 0000000075985ea6 6 bytes {JMP QWORD [RIP+0x7182001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075987bcc 6 bytes {JMP QWORD [RIP+0x718e001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\GDI32.dll!StretchBlt 000000007598b895 6 bytes {JMP QWORD [RIP+0x7179001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\GDI32.dll!MaskBlt 000000007598c332 6 bytes {JMP QWORD [RIP+0x717f001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\GDI32.dll!GetPixel 000000007598cbfb 6 bytes {JMP QWORD [RIP+0x7188001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007598e743 6 bytes {JMP QWORD [RIP+0x718b001e]} .text C:\Users\Janeczek\Desktop\rjf5zst3.exe[5772] C:\Windows\syswow64\GDI32.dll!PlgBlt 00000000759b4646 6 bytes {JMP QWORD [RIP+0x717c001e]} ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805f0000] IAT C:\Windows\system32\wininit.exe[648] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805f0000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\services.exe[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\services.exe[ntdll.dll!NtShutdownSystem] [80520000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\services.exe[748] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\SAMSRV.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\lsass.exe[756] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\lsm.exe[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\lsm.exe[768] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[892] @ c:\windows\system32\umpo.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[892] @ C:\Windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[984] @ c:\windows\system32\rpcepmap.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[984] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[968] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\atiesrxx.exe[1048] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\System32\svchost.exe[1080] @ C:\Windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[1116] @ c:\windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[1116] @ c:\windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[1116] @ c:\windows\system32\sysmain.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\System32\svchost.exe[1116] @ c:\windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\System32\wer.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[1116] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1148] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1148] @ c:\windows\system32\mmcss.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1148] @ c:\windows\system32\srvsvc.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1148] @ C:\Windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1148] @ c:\windows\system32\aelupsvc.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\system32\AUDIODG.EXE[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\System32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\System32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80680000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\System32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\System32\audioses.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\AUDIODG.EXE[1216] @ C:\Windows\System32\AVRT.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1268] @ c:\windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1268] @ C:\Windows\System32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806d0000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80010000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80670000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80190000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [806a0000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80190000] IAT C:\Windows\system32\atieclxx.exe[1324] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80160000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\spoolsv.exe[1880] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[1912] @ c:\windows\system32\dps.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1912] @ C:\Windows\system32\wdi.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[2040] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\CISVC.EXE[1304] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\CISVC.EXE[1304] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\CISVC.EXE[1304] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\CISVC.EXE[1304] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\CISVC.EXE[1304] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\system32\CISVC.EXE[1304] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1600] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\system32\svchost.exe[1796] @ C:\Windows\system32\MSWSOCK.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805f0000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe[1932] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805f0000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\System32\svchost.exe[2088] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80680000] IAT C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe[2252] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80000000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[2568] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[2652] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2652] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[2652] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\system32\svchost.exe[2652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\system32\svchost.exe[2652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\system32\svchost.exe[2652] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\svchost.exe[2652] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\system32\svchost.exe[2652] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef95e741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef95e5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef95e5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef95e5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef95e7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef95e6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef95e6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef95e7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef95e7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef95e78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef95e4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef95e5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef95e7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805f0000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2804] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\taskhost.exe[2792] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\Dwm.exe[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\dwmcore.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\dxgi.dll[USER32.dll!SetWindowsHookExA] [80050000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\Dwm.exe[3488] @ C:\Windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\Explorer.EXE[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\Explorer.EXE[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\Explorer.EXE[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\EXPLORERFRAME.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\UxTheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\dwmapi.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\dwmapi.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\apphelp.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\System32\gameux.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\System32\wer.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\authui.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\AUDIOSES.DLL[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\System32\AltTab.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\Explorer.EXE[3628] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805f0000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[3436] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\MOM.exe[3368] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\MOM.exe[3368] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\MOM.exe[3368] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\MOM.exe[3368] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80680000] IAT C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files (x86)\ATI Technologies\HydraVision\HydraDM64.exe[3472] @ C:\Windows\system32\uxtheme.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\taskeng.exe[3964] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] @ C:\Windows\system32\KERNEL32.dll[ntdll.dll!NtSetSystemInformation] [80620000] IAT C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80650000] IAT C:\SystemoWe Nie Ruszać!\ATI.ACE\Core-Static\CCC.exe[3212] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80680000] IAT C:\Windows\system32\SearchIndexer.exe[656] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[656] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[656] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\SearchIndexer.exe[656] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Windows\system32\SearchIndexer.exe[656] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\system32\SearchIndexer.exe[656] @ C:\Windows\system32\apphelp.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\GDI32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Windows\system32\WUDFHost.exe[4924] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80660000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80630000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80050000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805c0000] IAT C:\Windows\System32\svchost.exe[4996] @ C:\Windows\system32\ntmarta.dll[ntdll.dll!NtOpenSection] [80690000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\kernel32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\kernel32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!NtOpenSection] [806c0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\KERNELBASE.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!LdrUnloadDll] [80000000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\ADVAPI32.dll[ntdll.dll!NtSetSystemInformation] [80660000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\RPCRT4.dll[ntdll.dll!NtCreateSection] [80690000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\ole32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\WS2_32.dll[ntdll.dll!NtLoadDriver] [805f0000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\MSCTF.dll[ntdll.dll!NtAlpcSendWaitReceivePort] [80180000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\MSCTF.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\SHELL32.dll[USER32.dll!SetWinEventHook] [80150000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!SetWindowsHookExW] [80120000] IAT C:\Program Files\Windows Media Player\wmpnetwk.exe[5092] @ C:\Windows\system32\mswsock.dll[ntdll.dll!NtLoadDriver] [805f0000] ---- Modules - GMER 2.0 ---- Module \Device\Harddisk0\Partition2\Windows\system32\drivers\PctWfpFilter64.sys fffff88004096000-fffff880040d9000 (274432 bytes) ---- Threads - GMER 2.0 ---- Thread C:\Windows\System32\spoolsv.exe [1880:3432] 000007fef22f10c8 Thread C:\Windows\System32\spoolsv.exe [1880:3464] 000007fef1df6144 Thread C:\Windows\System32\spoolsv.exe [1880:3484] 000007fef9e95fd0 Thread C:\Windows\System32\spoolsv.exe [1880:3476] 000007fef2363438 Thread C:\Windows\System32\spoolsv.exe [1880:3324] 000007fef9e963ec Thread C:\Windows\System32\spoolsv.exe [1880:3496] 000007fef24c5e5c Thread C:\Windows\System32\spoolsv.exe [1880:3008] 000007fef1c85074 Thread C:\Windows\system32\svchost.exe [2652:2160] 000007fef969976c Thread C:\Windows\system32\svchost.exe [2652:2532] 000007fef99c2040 Thread C:\Windows\system32\svchost.exe [2652:2552] 000007fef99c2040 Thread C:\Windows\system32\svchost.exe [2652:2556] 000007fef99c2040 Thread C:\Windows\system32\svchost.exe [2652:2564] 000007fef99c2040 Thread C:\Windows\system32\svchost.exe [2652:2628] 000007fefa416b40 Thread C:\Windows\system32\svchost.exe [2652:2632] 000007fef96c1fa0 Thread C:\Windows\system32\svchost.exe [2652:2964] 000007fef96c5c18 ---- EOF - GMER 2.0 ----