GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-06 18:06:39 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500420AS rev.D005SDM1 465,76GB Running: gmer.exe; Driver: C:\Users\Asia\AppData\Local\Temp\kftcqaog.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000149df0440 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000149df0430 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000149df0450 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0xffffffffd220ee90} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000149df03b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000149df0320 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000149df0380 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000149df02e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000149df0410 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000149df02d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000149df0310 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000149df0390 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000149df03c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000149df0230 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0xffffffffd220e890} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000149df0460 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000149df0370 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000149df02f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000149df0350 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000149df0290 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000149df02b0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000149df03a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000149df0330 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0xffffffffd220e590} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000149df03e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000149df0240 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000149df01e0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000149df0250 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0xffffffffd220e090} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000149df0470 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000149df0480 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000149df0300 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000149df0360 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000149df02a0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000149df02c0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000149df0340 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000149df0420 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000149df0260 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000149df0270 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000149df03d0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0xffffffffd220db90} .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000149df01f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000149df0210 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000149df0200 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000149df03f0 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000149df0400 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000149df0220 .text C:\Windows\system32\csrss.exe[468] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000149df0280 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\wininit.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\wininit.exe[532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000149df0440 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000149df0430 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000149df0450 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0xffffffffd220ee90} .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000149df03b0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000149df0320 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000149df0380 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000149df02e0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000149df0410 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000149df02d0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000149df0310 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000149df0390 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000149df03c0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000149df0230 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0xffffffffd220e890} .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000149df0460 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000149df0370 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000149df02f0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000149df0350 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000149df0290 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000149df02b0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000149df03a0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000149df0330 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0xffffffffd220e590} .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000149df03e0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000149df0240 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000149df01e0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000149df0250 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0xffffffffd220e090} .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000149df0470 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000149df0480 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000149df0300 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000149df0360 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000149df02a0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000149df02c0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000149df0340 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000149df0420 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000149df0260 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000149df0270 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000149df03d0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0xffffffffd220db90} .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000149df01f0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000149df0210 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000149df0200 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000149df03f0 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000149df0400 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000149df0220 .text C:\Windows\system32\csrss.exe[552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000149df0280 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\services.exe[588] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\services.exe[588] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\lsass.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\lsm.exe[620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\svchost.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\svchost.exe[720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\svchost.exe[808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\svchost.exe[808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\System32\svchost.exe[872] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\System32\svchost.exe[872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\System32\svchost.exe[908] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\System32\svchost.exe[908] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\svchost.exe[948] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\svchost.exe[948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe[984] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0xffffffff8848ee90} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0xffffffff8848e890} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0xffffffff8848e590} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0xffffffff8848e090} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0xffffffff8848db90} .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[392] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[392] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\winlogon.exe[1120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\WLANExt.exe[1324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\svchost.exe[1404] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\System32\spoolsv.exe[1532] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1696] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 0000000077d403b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1824] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001001d075c .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001001d03a4 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001001d0b14 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001001d0ecc .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001001d163c .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001001d1284 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\taskhost.exe[1856] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010021075c .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001002103a4 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100210b14 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100210ecc .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010021163c .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100211284 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\Dwm.exe[2196] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010011075c .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001001103a4 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100110b14 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100110ecc .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010011163c .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100111284 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\Explorer.EXE[2240] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\Explorer.EXE[2240] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001003401f8 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001003403fc .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100340804 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100340600 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100340a08 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100351014 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100350804 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100350a08 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100350c0c .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100350e10 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001003501f8 .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001003503fc .text C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe[2276] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100350600 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2288] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2288] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2288] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2288] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2288] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001001e075c .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001001e03a4 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001001e0b14 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001001e0ecc .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001001e163c .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001001e1284 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\svchost.exe[2324] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001001d01f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001001d03fc .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 00000001001d0804 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 00000001001d0600 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 00000001001d0a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100271014 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100270804 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100270a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100270c0c .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100270e10 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002701f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002703fc .text C:\ProgramData\DatacardService\DCSHelper.exe[2520] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100270600 .text C:\Windows\system32\wbem\unsecapp.exe[2932] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\wbem\unsecapp.exe[2932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\wbem\unsecapp.exe[2932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\wbem\unsecapp.exe[2932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\wbem\unsecapp.exe[2932] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\wbem\unsecapp.exe[2932] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\wbem\unsecapp.exe[2932] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\wbem\unsecapp.exe[2932] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001001a075c .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001001a03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001001a0b14 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001001a0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001001a163c .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001001a1284 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\wbem\wmiprvse.exe[3004] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010037075c .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001003703a4 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100370b14 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100370ecc .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010037163c .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100371284 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\taskeng.exe[3060] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001003e075c .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001003e03a4 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001003e0b14 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001003e0ecc .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001003e163c .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001003e1284 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2472] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010036075c .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001003603a4 .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100360b14 .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100360ecc .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010036163c .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100361284 .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Program Files\Java\jre6\bin\jusched.exe[2188] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010024075c .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001002403a4 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100240b14 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100240ecc .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010024163c .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100241284 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\System32\igfxtray.exe[128] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010027075c .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001002703a4 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100270b14 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100270ecc .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010027163c .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100271284 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\System32\hkcmd.exe[2216] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010044075c .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001004403a4 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100440b14 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100440ecc .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010044163c .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100441284 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\System32\igfxpers.exe[2616] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files\IDT\WDM\sttray64.exe[1260] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[1260] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Program Files\IDT\WDM\sttray64.exe[1260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Program Files\IDT\WDM\sttray64.exe[1260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Program Files\IDT\WDM\sttray64.exe[1260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Program Files\IDT\WDM\sttray64.exe[1260] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Program Files\IDT\WDM\sttray64.exe[1260] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Program Files\IDT\WDM\sttray64.exe[1260] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Program Files\IDT\WDM\sttray64.exe[1260] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001002f075c .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001002f03a4 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001002f0b14 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001002f0ecc .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001002f163c .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001002f1284 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\igfxsrvc.exe[1264] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\STMicroelectronics\Accelerometer\FF_Protection.exe[2556] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100260600 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 4 bytes JMP 000000007fff075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 000000007fff03a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 000000007fff0b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 000000007fff0ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000007fff163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 000000007fff1284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3088] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001003e075c .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001003e03a4 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001003e0b14 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001003e0ecc .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001003e163c .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001003e1284 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Program Files\Dell\QuickSet\quickset.exe[3124] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100141014 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100140c0c .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100140e10 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Dell\Dell Mobile Broadband Manager\WirelessManager.exe[3188] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100150a08 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001002f075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001002f03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001002f0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001002f0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001002f163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001002f1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3196] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001002e075c .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001002e03a4 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001002e0b14 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001002e0ecc .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001002e163c .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001002e1284 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\svchost.exe[3436] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3644] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3644] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3644] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3644] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3644] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3644] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[3644] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3724] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3724] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3724] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3724] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001003f075c .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001003f03a4 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001003f0b14 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001003f0ecc .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0xffffffff8848ee90} .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001003f163c .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001003f1284 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0xffffffff8848e890} .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0xffffffff8848e590} .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0xffffffff8848e090} .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0xffffffff8848db90} .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\SearchIndexer.exe[3776] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\wbem\unsecapp.exe[3836] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\wbem\unsecapp.exe[3836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\wbem\unsecapp.exe[3836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\wbem\unsecapp.exe[3836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\wbem\unsecapp.exe[3836] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\wbem\unsecapp.exe[3836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\wbem\unsecapp.exe[3836] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\wbem\unsecapp.exe[3836] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[4056] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100230600 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100230804 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100230c0c .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100230a08 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001002301f8 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001002303fc .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Program Files (x86)\facemoods.com\facemoods\1.4.17.6\facemoodssrv.exe[3108] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002301f8 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002303fc .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100230804 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100230600 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100230a08 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\QuickTime\qttask.exe[3136] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[2996] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3492] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100121014 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100120a08 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100120c0c .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100120e10 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Program Files (x86)\Ask.com\Updater\Updater.exe[3676] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100271014 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100270a08 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100270c0c .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100270e10 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe[3796] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100270600 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe[3952] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100271014 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100270a08 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100270c0c .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100270e10 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100270600 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe[3536] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe[3548] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5108] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100250a08 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010043075c .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001004303a4 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100430b14 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100430ecc .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010043163c .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100431284 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\System32\svchost.exe[4220] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2468] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010028075c .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001002803a4 .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100280b14 .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100280ecc .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010028163c .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100281284 .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\wuauclt.exe[3632] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\System32\WUDFHost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\System32\WUDFHost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\System32\WUDFHost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\System32\WUDFHost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\System32\WUDFHost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\System32\WUDFHost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\System32\WUDFHost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\System32\WUDFHost.exe[2828] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100341014 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100340804 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100340a08 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100340c0c .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100340e10 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001003401f8 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001003403fc .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100340600 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001003501f8 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001003503fc .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100350804 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100350600 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100350a08 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Program Files (x86)\PLAY ONLINE\PLAY ONLINE.exe[5064] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010021075c .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001002103a4 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100210b14 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100210ecc .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010021163c .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100211284 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\System32\svchost.exe[4624] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\svchost.exe[5384] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\svchost.exe[5384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\svchost.exe[5384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\svchost.exe[5384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\svchost.exe[5384] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\svchost.exe[5384] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\svchost.exe[5384] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\svchost.exe[5384] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001001001f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001001003fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100100804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100100600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100100a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100111014 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100110804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100110a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100110c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100110e10 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001001101f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001001103fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100110600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4584] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] ? C:\Windows\system32\mssprxy.dll [4584] entry point in ".rdata" section 0000000073da71e6 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d8f991 7 bytes {MOV EDX, 0x931228; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 00000001009c0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 00000001009c0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d8fbd5 7 bytes {MOV EDX, 0x931268; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d8fc05 7 bytes {MOV EDX, 0x9311a8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d8fc1d 7 bytes {MOV EDX, 0x931128; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d8fc35 7 bytes {MOV EDX, 0x931328; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d8fc65 7 bytes {MOV EDX, 0x931368; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 00000001009c0c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d8fce5 7 bytes {MOV EDX, 0x9312e8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d8fcfd 7 bytes {MOV EDX, 0x9312a8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d8fd49 7 bytes {MOV EDX, 0x931068; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d8fe41 7 bytes {MOV EDX, 0x9310a8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001009c0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d90099 7 bytes {MOV EDX, 0x931028; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d910a5 7 bytes {MOV EDX, 0x9311e8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d9111d 7 bytes {MOV EDX, 0x931168; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d91321 7 bytes {MOV EDX, 0x9310e8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001009c01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001009c03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001009d01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001009d03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 00000001009d0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 00000001009d0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 00000001009d0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 00000001009e1014 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 00000001009e0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 00000001009e0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 00000001009e0c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 00000001009e0e10 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001009e01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001009e03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 00000001009e0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d8f991 7 bytes {MOV EDX, 0x3e9a28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100440600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100440804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d8fbd5 7 bytes {MOV EDX, 0x3e9a68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d8fc05 7 bytes {MOV EDX, 0x3e99a8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d8fc1d 7 bytes {MOV EDX, 0x3e9928; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d8fc35 7 bytes {MOV EDX, 0x3e9b28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d8fc65 7 bytes {MOV EDX, 0x3e9b68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100440c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d8fce5 7 bytes {MOV EDX, 0x3e9ae8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d8fcfd 7 bytes {MOV EDX, 0x3e9aa8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d8fd49 7 bytes {MOV EDX, 0x3e9868; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d8fe41 7 bytes {MOV EDX, 0x3e98a8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100440a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d90099 7 bytes {MOV EDX, 0x3e9828; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d910a5 7 bytes {MOV EDX, 0x3e99e8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d9111d 7 bytes {MOV EDX, 0x3e9968; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d91321 7 bytes {MOV EDX, 0x3e98e8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001004401f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001004403fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001004901f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001004903fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100490804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100490600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100490a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 00000001004a1014 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 00000001004a0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 00000001004a0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 00000001004a0c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 00000001004a0e10 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001004a01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001004a03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 00000001004a0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[1148] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d8f991 7 bytes {MOV EDX, 0xf00e28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100fc0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100fc0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d8fbd5 7 bytes {MOV EDX, 0xf00e68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d8fc05 7 bytes {MOV EDX, 0xf00da8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d8fc1d 7 bytes {MOV EDX, 0xf00d28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d8fc35 7 bytes {MOV EDX, 0xf00f28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d8fc65 7 bytes {MOV EDX, 0xf00f68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100fc0c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d8fce5 7 bytes {MOV EDX, 0xf00ee8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d8fcfd 7 bytes {MOV EDX, 0xf00ea8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d8fd49 7 bytes {MOV EDX, 0xf00c68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d8fe41 7 bytes {MOV EDX, 0xf00ca8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100fc0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d90099 7 bytes {MOV EDX, 0xf00c28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d910a5 7 bytes {MOV EDX, 0xf00de8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d9111d 7 bytes {MOV EDX, 0xf00d68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d91321 7 bytes {MOV EDX, 0xf00ce8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 0000000100fc01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 0000000100fc03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 0000000100fd01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 0000000100fd03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100fd0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100fd0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100fd0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100fe1014 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100fe0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100fe0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100fe0c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100fe0e10 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 0000000100fe01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 0000000100fe03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100fe0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[4520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d8f991 7 bytes {MOV EDX, 0x792a28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 00000001007f0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 00000001007f0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d8fbd5 7 bytes {MOV EDX, 0x792a68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d8fc05 7 bytes {MOV EDX, 0x7929a8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d8fc1d 7 bytes {MOV EDX, 0x792928; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d8fc35 7 bytes {MOV EDX, 0x792b28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d8fc65 7 bytes {MOV EDX, 0x792b68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 00000001007f0c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d8fce5 7 bytes {MOV EDX, 0x792ae8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d8fcfd 7 bytes {MOV EDX, 0x792aa8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d8fd49 7 bytes {MOV EDX, 0x792868; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d8fe41 7 bytes {MOV EDX, 0x7928a8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001007f0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d90099 7 bytes {MOV EDX, 0x792828; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d910a5 7 bytes {MOV EDX, 0x7929e8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d9111d 7 bytes {MOV EDX, 0x792968; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d91321 7 bytes {MOV EDX, 0x7928e8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001007f01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001007f03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001008001f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001008003fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100800804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100800600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100800a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100811014 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100810804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100810a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100810c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100810e10 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001008101f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001008103fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100810600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[5364] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000077d8f991 7 bytes {MOV EDX, 0x80ee28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 00000001008d0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 00000001008d0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000077d8fbd5 7 bytes {MOV EDX, 0x80ee68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000077d8fc05 7 bytes {MOV EDX, 0x80eda8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000077d8fc1d 7 bytes {MOV EDX, 0x80ed28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000077d8fc35 7 bytes {MOV EDX, 0x80ef28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000077d8fc65 7 bytes {MOV EDX, 0x80ef68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 00000001008d0c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000077d8fce5 7 bytes {MOV EDX, 0x80eee8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000077d8fcfd 7 bytes {MOV EDX, 0x80eea8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000077d8fd49 7 bytes {MOV EDX, 0x80ec68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000077d8fe41 7 bytes {MOV EDX, 0x80eca8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 00000001008d0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077d90099 7 bytes {MOV EDX, 0x80ec28; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000077d910a5 7 bytes {MOV EDX, 0x80ede8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000077d9111d 7 bytes {MOV EDX, 0x80ed68; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077d91321 7 bytes {MOV EDX, 0x80ece8; JMP RDX} .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001008d01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001008d03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001008e01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001008e03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 00000001008e0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 00000001008e0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 00000001008e0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 00000001008f1014 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 00000001008f0804 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 00000001008f0a08 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 00000001008f0c0c .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 00000001008f0e10 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001008f01f8 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001008f03fc .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 00000001008f0600 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076841401 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076841419 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076841431 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007684144a 2 bytes [84, 76] .text ... * 9 .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000768414dd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000768414f5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007684150d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076841525 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007684153d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076841555 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007684156d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076841585 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007684159d 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000768415b5 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000768415cd 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000768416b2 2 bytes [84, 76] .text C:\Users\Asia\AppData\Local\Google\Chrome\Application\chrome.exe[6100] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000768416bd 2 bytes [84, 76] .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 000000010019075c .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001001903a4 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000077be13c0 5 bytes JMP 0000000077d40440 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077be1410 5 bytes JMP 0000000077d40430 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 0000000100190b14 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 0000000100190ecc .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000077be15c0 1 byte JMP 0000000077d40450 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000077be15c2 3 bytes {JMP 0x15ee90} .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 000000010019163c .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077be1680 5 bytes JMP 0000000077d40320 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077be16b0 5 bytes JMP 0000000077d40380 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077be1710 5 bytes JMP 0000000077d402e0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077be1760 5 bytes JMP 0000000077d40410 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077be1790 5 bytes JMP 0000000077d402d0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000077be17b0 5 bytes JMP 0000000077d40310 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000077be17f0 5 bytes JMP 0000000077d40390 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 0000000100191284 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077be1840 5 bytes JMP 0000000077d403c0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000077be19a0 1 byte JMP 0000000077d40230 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000077be19a2 3 bytes {JMP 0x15e890} .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077be1b60 5 bytes JMP 0000000077d40460 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077be1b90 5 bytes JMP 0000000077d40370 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077be1c70 5 bytes JMP 0000000077d402f0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077be1c80 5 bytes JMP 0000000077d40350 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077be1ce0 5 bytes JMP 0000000077d40290 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077be1d70 5 bytes JMP 0000000077d402b0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077be1d90 5 bytes JMP 0000000077d403a0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077be1da0 1 byte JMP 0000000077d40330 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077be1da2 3 bytes {JMP 0x15e590} .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077be1e10 5 bytes JMP 0000000077d403e0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077be1e40 5 bytes JMP 0000000077d40240 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077be2100 5 bytes JMP 0000000077d401e0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000077be21c0 1 byte JMP 0000000077d40250 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000077be21c2 3 bytes {JMP 0x15e090} .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000077be21f0 5 bytes JMP 0000000077d40470 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077be2200 5 bytes JMP 0000000077d40480 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077be2230 5 bytes JMP 0000000077d40300 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077be2240 5 bytes JMP 0000000077d40360 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077be22a0 5 bytes JMP 0000000077d402a0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077be22f0 5 bytes JMP 0000000077d402c0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077be2330 5 bytes JMP 0000000077d40340 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077be2620 5 bytes JMP 0000000077d40420 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077be2820 5 bytes JMP 0000000077d40260 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077be2830 5 bytes JMP 0000000077d40270 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077be2840 1 byte JMP 0000000077d403d0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077be2842 3 bytes {JMP 0x15db90} .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077be2a00 5 bytes JMP 0000000077d401f0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077be2a10 5 bytes JMP 0000000077d40210 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077be2a80 5 bytes JMP 0000000077d40200 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077be2ae0 5 bytes JMP 0000000077d403f0 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077be2af0 5 bytes JMP 0000000077d40400 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077be2b00 5 bytes JMP 0000000077d40220 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077be2be0 5 bytes JMP 0000000077d40280 .text C:\Windows\notepad.exe[4540] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\notepad.exe[4540] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077bb3ae0 5 bytes JMP 00000001001f075c .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077bb7a90 5 bytes JMP 00000001001f03a4 .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077be1490 5 bytes JMP 00000001001f0b14 .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000077be14f0 5 bytes JMP 00000001001f0ecc .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000077be15d0 5 bytes JMP 00000001001f163c .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077be1810 5 bytes JMP 00000001001f1284 .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefe5f6e00 5 bytes JMP 000007ff7e611dac .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefe5f6f2c 5 bytes JMP 000007ff7e610ecc .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefe5f7220 5 bytes JMP 000007ff7e611284 .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefe5f739c 5 bytes JMP 000007ff7e61163c .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefe5f7538 5 bytes JMP 000007ff7e6119f4 .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefe5f75e8 5 bytes JMP 000007ff7e6103a4 .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefe5f790c 5 bytes JMP 000007ff7e61075c .text C:\Windows\system32\taskeng.exe[3552] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefe5f7ab4 5 bytes JMP 000007ff7e610b14 .text C:\Windows\system32\AUDIODG.EXE[4680] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007750eecd 1 byte [62] .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000077d8faa0 5 bytes JMP 0000000100030600 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000077d8fb38 5 bytes JMP 0000000100030804 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000077d8fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077d90018 5 bytes JMP 0000000100030a08 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000077dac45a 5 bytes JMP 00000001000301f8 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077db1217 5 bytes JMP 00000001000303fc .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076cda30a 1 byte [62] .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076755181 5 bytes JMP 0000000100241014 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076755254 5 bytes JMP 0000000100240804 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000767553d5 5 bytes JMP 0000000100240a08 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000767554c2 5 bytes JMP 0000000100240c0c .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000767555e2 5 bytes JMP 0000000100240e10 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007675567c 5 bytes JMP 00000001002401f8 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007675589f 5 bytes JMP 00000001002403fc .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076755a22 5 bytes JMP 0000000100240600 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\syswow64\USER32.dll!SetWinEventHook 00000000773cee09 5 bytes JMP 00000001002501f8 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 00000000773d3982 5 bytes JMP 00000001002503fc .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 00000000773d7603 5 bytes JMP 0000000100250804 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 00000000773d835c 5 bytes JMP 0000000100250600 .text C:\Users\Asia\Desktop\skany\GMER\gmer\gmer.exe[5288] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 00000000773ef52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.0 ---- Thread C:\Windows\System32\svchost.exe [4220:4536] 000007fef6669688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2468:4092] 000007fefe8b0168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2468:2832] 000007fefb7a2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2468:2820] 000007fef104d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2468:4580] 000007fefaca5124 ---- Processes - GMER 2.0 ---- Library C:\Users\Asia\Desktop\Nucik\MBAM\mbamext.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [2240] 000007fef2ca0000 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{AD87B044-5625-4515-B452-6A8F4B86F630}\Connection@Name isatap.{E0C1EE07-E3C7-4491-89BA-EC50B521F251} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{2C620C25-483B-4F34-8943-5D9FFA124525}?\Device\{249770D5-EF36-4726-81FB-438930E15A93}?\Device\{AD87B044-5625-4515-B452-6A8F4B86F630}?\Device\{10C37AF1-1F74-43D1-91A8-7E35AA31E26C}?\Device\{6120059C-F05A-42FD-9248-8EA05920121E}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{2C620C25-483B-4F34-8943-5D9FFA124525}"?"{249770D5-EF36-4726-81FB-438930E15A93}"?"{AD87B044-5625-4515-B452-6A8F4B86F630}"?"{10C37AF1-1F74-43D1-91A8-7E35AA31E26C}"?"{6120059C-F05A-42FD-9248-8EA05920121E}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{2C620C25-483B-4F34-8943-5D9FFA124525}?\Device\TCPIP6TUNNEL_{249770D5-EF36-4726-81FB-438930E15A93}?\Device\TCPIP6TUNNEL_{AD87B044-5625-4515-B452-6A8F4B86F630}?\Device\TCPIP6TUNNEL_{10C37AF1-1F74-43D1-91A8-7E35AA31E26C}?\Device\TCPIP6TUNNEL_{6120059C-F05A-42FD-9248-8EA05920121E}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{AD87B044-5625-4515-B452-6A8F4B86F630}@InterfaceName isatap.{E0C1EE07-E3C7-4491-89BA-EC50B521F251} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{AD87B044-5625-4515-B452-6A8F4B86F630}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 18248 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 9840 ---- EOF - GMER 2.0 ----