GMER 2.1.18952 - http://www.gmer.net Rootkit scan 2013-02-20 18:23:40 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD103SJ rev.1AJ10001 931,51GB Running: dpm2bv8r.exe; Driver: C:\Users\User\AppData\Local\Temp\awlcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 0000000149f40440 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 0000000149f40430 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 0000000149f40450 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0xffffffffd28fee90} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 0000000149f403b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 0000000149f40320 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 0000000149f40380 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 0000000149f402e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 0000000149f40410 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 0000000149f402d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 0000000149f40310 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 0000000149f40390 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 0000000149f403c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 0000000149f40230 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0xffffffffd28fe890} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 0000000149f40460 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 0000000149f40370 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 0000000149f402f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 0000000149f40350 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 0000000149f40290 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 0000000149f402b0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 0000000149f403a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 0000000149f40330 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0xffffffffd28fe590} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 0000000149f403e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 0000000149f40240 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 0000000149f401e0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 0000000149f40250 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0xffffffffd28fe090} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 0000000149f40470 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 0000000149f40480 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 0000000149f40300 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 0000000149f40360 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 0000000149f402a0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 0000000149f402c0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 0000000149f40340 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 0000000149f40420 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 0000000149f40260 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 0000000149f40270 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 0000000149f403d0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0xffffffffd28fdb90} .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 0000000149f401f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 0000000149f40210 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 0000000149f40200 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 0000000149f403f0 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 0000000149f40400 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 0000000149f40220 .text C:\Windows\system32\csrss.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 0000000149f40280 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 0000000149f40440 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 0000000149f40430 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 0000000149f40450 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0xffffffffd28fee90} .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 0000000149f403b0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 0000000149f40320 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 0000000149f40380 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 0000000149f402e0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 0000000149f40410 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 0000000149f402d0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 0000000149f40310 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 0000000149f40390 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 0000000149f403c0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 0000000149f40230 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0xffffffffd28fe890} .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 0000000149f40460 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 0000000149f40370 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 0000000149f402f0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 0000000149f40350 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 0000000149f40290 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 0000000149f402b0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 0000000149f403a0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 0000000149f40330 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0xffffffffd28fe590} .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 0000000149f403e0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 0000000149f40240 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 0000000149f401e0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 0000000149f40250 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0xffffffffd28fe090} .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 0000000149f40470 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 0000000149f40480 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 0000000149f40300 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 0000000149f40360 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 0000000149f402a0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 0000000149f402c0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 0000000149f40340 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 0000000149f40420 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 0000000149f40260 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 0000000149f40270 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 0000000149f403d0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0xffffffffd28fdb90} .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 0000000149f401f0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 0000000149f40210 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 0000000149f40200 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 0000000149f403f0 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 0000000149f40400 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 0000000149f40220 .text C:\Windows\system32\csrss.exe[616] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 0000000149f40280 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\wininit.exe[624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\wininit.exe[624] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\winlogon.exe[672] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\services.exe[720] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\services.exe[720] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0xffffffff88a2ee90} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0xffffffff88a2e890} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0xffffffff88a2e590} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0xffffffff88a2e090} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0xffffffff88a2db90} .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\lsm.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[832] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[832] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\nvvsvc.exe[916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[940] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[984] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\System32\svchost.exe[364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[428] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[708] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[708] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[1128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[1240] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1376] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\nvvsvc.exe[1396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\Dwm.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\Explorer.EXE[1604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\Explorer.EXE[1604] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\System32\spoolsv.exe[1748] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\taskhost.exe[1756] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[1808] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1972] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000000777a03b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Program Files\Bonjour\mDNSResponder.exe[2020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1060] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe[1060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Windows\system32\svchost.exe[1464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613ae0 5 bytes JMP 000000010045075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077617a90 5 bytes JMP 00000001004503a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641490 5 bytes JMP 0000000100450b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776414f0 5 bytes JMP 0000000100450ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 000000010045163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077641810 5 bytes JMP 0000000100451284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8b6e00 5 bytes JMP 000007ff7f8d1dac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8b6f2c 5 bytes JMP 000007ff7f8d0ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8b7220 5 bytes JMP 000007ff7f8d1284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8b739c 5 bytes JMP 000007ff7f8d163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8b7538 5 bytes JMP 000007ff7f8d19f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8b75e8 5 bytes JMP 000007ff7f8d03a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8b790c 5 bytes JMP 000007ff7f8d075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2852] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8b7ab4 5 bytes JMP 000007ff7f8d0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613ae0 5 bytes JMP 000000010044075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077617a90 5 bytes JMP 00000001004403a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641490 5 bytes JMP 0000000100440b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776414f0 5 bytes JMP 0000000100440ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 000000010044163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077641810 5 bytes JMP 0000000100441284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8b6e00 5 bytes JMP 000007ff7f8d1dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8b6f2c 5 bytes JMP 000007ff7f8d0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8b7220 5 bytes JMP 000007ff7f8d1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8b739c 5 bytes JMP 000007ff7f8d163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8b7538 5 bytes JMP 000007ff7f8d19f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8b75e8 5 bytes JMP 000007ff7f8d03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8b790c 5 bytes JMP 000007ff7f8d075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[1512] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8b7ab4 5 bytes JMP 000007ff7f8d0b14 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe[1560] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001000d01f8 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001000d03fc .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 00000001000d0804 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 00000001000d0600 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 00000001000d0a08 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 00000001000e1014 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 00000001000e0804 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 00000001000e0a08 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 00000001000e0c0c .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 00000001000e0e10 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001000e01f8 .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001000e03fc .text C:\Program Files (x86)\Gadu-Gadu 10\gg.exe[3080] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 00000001000e0600 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613ae0 5 bytes JMP 00000001003f075c .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077617a90 5 bytes JMP 00000001003f03a4 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641490 5 bytes JMP 00000001003f0b14 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776414f0 5 bytes JMP 00000001003f0ecc .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000001003f163c .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077641810 5 bytes JMP 00000001003f1284 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8b6e00 5 bytes JMP 000007ff7f8d1dac .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8b6f2c 5 bytes JMP 000007ff7f8d0ecc .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8b7220 5 bytes JMP 000007ff7f8d1284 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8b739c 5 bytes JMP 000007ff7f8d163c .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8b7538 5 bytes JMP 000007ff7f8d19f4 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8b75e8 5 bytes JMP 000007ff7f8d03a4 .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8b790c 5 bytes JMP 000007ff7f8d075c .text C:\Windows\system32\SearchIndexer.exe[3156] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8b7ab4 5 bytes JMP 000007ff7f8d0b14 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100270600 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100270a08 .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\ipla\ipla.exe[3180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text E:\Program Files (x86)\Steam\steam.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text E:\Program Files (x86)\Steam\steam.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text E:\Program Files (x86)\Steam\steam.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text E:\Program Files (x86)\Steam\steam.exe[3220] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text E:\Program Files (x86)\Steam\steam.exe[3220] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text E:\Program Files (x86)\Steam\steam.exe[3220] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text E:\Program Files (x86)\Steam\steam.exe[3220] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text E:\Program Files (x86)\Steam\steam.exe[3220] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 0000000076d6549c 5 bytes JMP 0000000100290800 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613ae0 5 bytes JMP 00000001001b075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077617a90 5 bytes JMP 00000001001b03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641490 5 bytes JMP 00000001001b0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776414f0 5 bytes JMP 00000001001b0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000001001b163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077641810 5 bytes JMP 00000001001b1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8b6e00 5 bytes JMP 000007ff7f8d1dac .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8b6f2c 5 bytes JMP 000007ff7f8d0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8b7220 5 bytes JMP 000007ff7f8d1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8b739c 5 bytes JMP 000007ff7f8d163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8b7538 5 bytes JMP 000007ff7f8d19f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8b75e8 5 bytes JMP 000007ff7f8d03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8b790c 5 bytes JMP 000007ff7f8d075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3236] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8b7ab4 5 bytes JMP 000007ff7f8d0b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3352] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe[3524] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000777e000c 3 bytes [8B, 40, 30] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100160a08 .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll!getJit + 32 0000000063069380 4 bytes [80, 25, 00, 10] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[3580] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3620] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3672] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\CyberLink\Power2Go\CLMLSvc.exe[3688] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002301f8 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002303fc .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100230804 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100230600 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100230a08 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\CyberLink\PowerDVD\PDVDServ.exe[3756] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Razer\DeathAdder\razerhid.exe[3804] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Razer\Lycosa\razerhid.exe[3860] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100250600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 00000001001d1014 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 00000001001d0c0c .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 00000001001d0e10 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001001e01f8 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001001e03fc .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 00000001001e0804 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 00000001001e0600 .text C:\Program Files (x86)\Browsers Protector\regmon32.exe[4004] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 00000001001e0a08 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Razer\DeathAdder\razertra.exe[4016] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002301f8 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002303fc .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100230804 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100230600 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100230a08 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Razer\Lycosa\razertra.exe[2948] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\iTunes\iTunesHelper.exe[3144] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 00000001003d1014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 00000001003d0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 00000001003d0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 00000001003d0c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 00000001003d0e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001003d01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001003d03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 00000001003d0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3256] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 00000001003e0a08 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002301f8 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002303fc .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100230804 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100230600 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100230a08 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Razer\DeathAdder\razerofa.exe[3392] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100240600 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613ae0 5 bytes JMP 000000010047075c .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077617a90 5 bytes JMP 00000001004703a4 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641490 5 bytes JMP 0000000100470b14 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776414f0 5 bytes JMP 0000000100470ecc .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 000000010047163c .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077641810 5 bytes JMP 0000000100471284 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8b6e00 5 bytes JMP 000007ff7f8d1dac .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8b6f2c 5 bytes JMP 000007ff7f8d0ecc .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8b7220 5 bytes JMP 000007ff7f8d1284 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8b739c 5 bytes JMP 000007ff7f8d163c .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8b7538 5 bytes JMP 000007ff7f8d19f4 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8b75e8 5 bytes JMP 000007ff7f8d03a4 .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8b790c 5 bytes JMP 000007ff7f8d075c .text C:\Program Files\iPod\bin\iPodService.exe[3664] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8b7ab4 5 bytes JMP 000007ff7f8d0b14 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613ae0 5 bytes JMP 000000010010075c .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077617a90 5 bytes JMP 00000001001003a4 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641490 5 bytes JMP 0000000100100b14 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776414f0 5 bytes JMP 0000000100100ecc .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 000000010010163c .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077641810 5 bytes JMP 0000000100101284 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8b6e00 5 bytes JMP 000007ff7f8d1dac .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8b6f2c 5 bytes JMP 000007ff7f8d0ecc .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8b7220 5 bytes JMP 000007ff7f8d1284 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8b739c 5 bytes JMP 000007ff7f8d163c .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8b7538 5 bytes JMP 000007ff7f8d19f4 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8b75e8 5 bytes JMP 000007ff7f8d03a4 .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8b790c 5 bytes JMP 000007ff7f8d075c .text C:\Windows\system32\svchost.exe[4012] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8b7ab4 5 bytes JMP 000007ff7f8d0b14 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613ae0 5 bytes JMP 00000001001e075c .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077617a90 5 bytes JMP 00000001001e03a4 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641490 5 bytes JMP 00000001001e0b14 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776414f0 5 bytes JMP 00000001001e0ecc .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0xffffffff88a2ee90} .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000001001e163c .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077641810 5 bytes JMP 00000001001e1284 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0xffffffff88a2e890} .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0xffffffff88a2e590} .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0xffffffff88a2e090} .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0xffffffff88a2db90} .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8b6e00 5 bytes JMP 000007ff7f8d1dac .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8b6f2c 5 bytes JMP 000007ff7f8d0ecc .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8b7220 5 bytes JMP 000007ff7f8d1284 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8b739c 5 bytes JMP 000007ff7f8d163c .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8b7538 5 bytes JMP 000007ff7f8d19f4 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8b75e8 5 bytes JMP 000007ff7f8d03a4 .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8b790c 5 bytes JMP 000007ff7f8d075c .text C:\Windows\System32\svchost.exe[4360] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8b7ab4 5 bytes JMP 000007ff7f8d0b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613ae0 5 bytes JMP 000000010022075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077617a90 5 bytes JMP 00000001002203a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641490 5 bytes JMP 0000000100220b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776414f0 5 bytes JMP 0000000100220ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 000000010022163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077641810 5 bytes JMP 0000000100221284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007752eecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8b6e00 5 bytes JMP 000007ff7f8d1dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8b6f2c 5 bytes JMP 000007ff7f8d0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8b7220 5 bytes JMP 000007ff7f8d1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8b739c 5 bytes JMP 000007ff7f8d163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8b7538 5 bytes JMP 000007ff7f8d19f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8b75e8 5 bytes JMP 000007ff7f8d03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8b790c 5 bytes JMP 000007ff7f8d075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[3348] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8b7ab4 5 bytes JMP 000007ff7f8d0b14 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077613ae0 5 bytes JMP 00000001001e075c .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077617a90 5 bytes JMP 00000001001e03a4 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776413c0 5 bytes JMP 00000000777a0440 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077641410 5 bytes JMP 00000000777a0430 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077641490 5 bytes JMP 00000001001e0b14 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776414f0 5 bytes JMP 00000001001e0ecc .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776415c0 1 byte JMP 00000000777a0450 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776415c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776415d0 5 bytes JMP 00000001001e163c .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077641680 5 bytes JMP 00000000777a0320 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776416b0 5 bytes JMP 00000000777a0380 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077641710 5 bytes JMP 00000000777a02e0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077641760 5 bytes JMP 00000000777a0410 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077641790 5 bytes JMP 00000000777a02d0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776417b0 5 bytes JMP 00000000777a0310 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776417f0 5 bytes JMP 00000000777a0390 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077641810 5 bytes JMP 00000001001e1284 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077641840 5 bytes JMP 00000000777a03c0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776419a0 1 byte JMP 00000000777a0230 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776419a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077641b60 5 bytes JMP 00000000777a0460 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077641b90 5 bytes JMP 00000000777a0370 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077641c70 5 bytes JMP 00000000777a02f0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077641c80 5 bytes JMP 00000000777a0350 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077641ce0 5 bytes JMP 00000000777a0290 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077641d70 5 bytes JMP 00000000777a02b0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077641d90 5 bytes JMP 00000000777a03a0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077641da0 1 byte JMP 00000000777a0330 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077641da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077641e10 5 bytes JMP 00000000777a03e0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077641e40 5 bytes JMP 00000000777a0240 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077642100 5 bytes JMP 00000000777a01e0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776421c0 1 byte JMP 00000000777a0250 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776421c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776421f0 5 bytes JMP 00000000777a0470 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077642200 5 bytes JMP 00000000777a0480 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077642230 5 bytes JMP 00000000777a0300 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077642240 5 bytes JMP 00000000777a0360 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776422a0 5 bytes JMP 00000000777a02a0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776422f0 5 bytes JMP 00000000777a02c0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077642330 5 bytes JMP 00000000777a0340 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077642620 5 bytes JMP 00000000777a0420 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077642820 5 bytes JMP 00000000777a0260 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077642830 5 bytes JMP 00000000777a0270 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077642840 1 byte JMP 00000000777a03d0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077642842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077642a00 5 bytes JMP 00000000777a01f0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077642a10 5 bytes JMP 00000000777a0210 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077642a80 5 bytes JMP 00000000777a0200 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077642ae0 5 bytes JMP 00000000777a03f0 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077642af0 5 bytes JMP 00000000777a0400 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077642b00 5 bytes JMP 00000000777a0220 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077642be0 5 bytes JMP 00000000777a0280 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff8b6e00 5 bytes JMP 000007ff7f8d1dac .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff8b6f2c 5 bytes JMP 000007ff7f8d0ecc .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff8b7220 5 bytes JMP 000007ff7f8d1284 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff8b739c 5 bytes JMP 000007ff7f8d163c .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff8b7538 5 bytes JMP 000007ff7f8d19f4 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff8b75e8 5 bytes JMP 000007ff7f8d03a4 .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff8b790c 5 bytes JMP 000007ff7f8d075c .text C:\Windows\System32\svchost.exe[5488] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff8b7ab4 5 bytes JMP 000007ff7f8d0b14 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001001a01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001001a03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 00000001001a0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 00000001001a0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 00000001001a0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100261014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100260804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100260a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100260c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100260e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002601f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002603fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100260600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000777ef991 8 bytes {MOV EDX, 0x903e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 15 00000000777ef99b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 5 00000000777efa0d 8 bytes {MOV EDX, 0x901a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey + 15 00000000777efa17 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 00000001000d0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 5 00000000777efb25 8 bytes {MOV EDX, 0x90168; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey + 15 00000000777efb2f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 00000001000d0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000777efbd5 8 bytes {MOV EDX, 0x90428; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 15 00000000777efbdf 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000777efc05 8 bytes {MOV EDX, 0x90368; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 15 00000000777efc0f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000777efc1d 8 bytes {MOV EDX, 0x90128; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 15 00000000777efc27 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000777efc35 8 bytes {MOV EDX, 0x904e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 15 00000000777efc3f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000777efc65 8 bytes {MOV EDX, 0x90528; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 15 00000000777efc6f 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 00000001000d0c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000777efce5 8 bytes {MOV EDX, 0x904a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 15 00000000777efcef 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000777efcfd 8 bytes {MOV EDX, 0x90468; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 15 00000000777efd07 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000777efd49 8 bytes {MOV EDX, 0x90068; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 15 00000000777efd53 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 5 00000000777efdad 8 bytes {MOV EDX, 0x902e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection + 15 00000000777efdb7 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000777efe41 8 bytes {MOV EDX, 0x900a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 15 00000000777efe4b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 5 00000000777eff89 8 bytes {MOV EDX, 0x902a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 15 00000000777eff93 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 00000001000d0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000777f0099 8 bytes {MOV EDX, 0x90028; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 15 00000000777f00a3 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 5 00000000777f0781 8 bytes {MOV EDX, 0x90268; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant + 15 00000000777f078b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 5 00000000777f0ffd 8 bytes {MOV EDX, 0x901e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx + 15 00000000777f1007 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 5 00000000777f105d 8 bytes {MOV EDX, 0x90228; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant + 15 00000000777f1067 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000777f10a5 8 bytes {MOV EDX, 0x903a8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 15 00000000777f10af 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000777f111d 8 bytes {MOV EDX, 0x90328; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 15 00000000777f1127 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000777f1321 8 bytes {MOV EDX, 0x900e8; JMP RDX} .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 15 00000000777f132b 1 byte [90] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000d01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000d03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\KERNEL32.dll!CreateProcessW 0000000076c5103d 5 bytes JMP 0000000100010030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\KERNEL32.dll!CreateProcessA 0000000076c51072 5 bytes JMP 0000000100010070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\KERNELBASE.dll!CreateEventW 0000000076d6119f 5 bytes JMP 0000000100020030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\KERNELBASE.dll!OpenEventW 0000000076d611cf 5 bytes JMP 0000000100020070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetDeviceCaps 0000000075724de0 5 bytes JMP 00000001001f03b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SelectObject 0000000075724f70 5 bytes JMP 00000001001f05f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SetBkMode 00000000757251a2 5 bytes JMP 00000001001f08f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SetTextColor 000000007572522d 5 bytes JMP 00000001001f0a30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!DeleteObject 0000000075725689 5 bytes JMP 00000001001f01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!DeleteDC 00000000757258b3 5 bytes JMP 00000001001f0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetCurrentObject 0000000075726bad 5 bytes JMP 00000001001f0370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SaveDC 0000000075726e05 5 bytes JMP 00000001001f0570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!RestoreDC 0000000075726ead 5 bytes JMP 00000001001f0530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SetStretchBltMode 0000000075727180 5 bytes JMP 00000001001f06b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!StretchDIBits 0000000075727435 5 bytes JMP 00000001001f0770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!CreateDCA 0000000075727bcc 5 bytes JMP 00000001001f00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!IntersectClipRect 0000000075727dc4 5 bytes JMP 00000001001f03f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetTextAlign 0000000075727fd5 5 bytes JMP 00000001001f0d70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetTextMetricsW 00000000757282b2 5 bytes JMP 00000001001f0e30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SetTextAlign 0000000075728401 5 bytes JMP 00000001001f09f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!ExtSelectClipRgn 000000007572879f 5 bytes JMP 00000001001f02f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SelectClipRgn 0000000075728916 5 bytes JMP 00000001001f05b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!ExtTextOutW 0000000075728b7a 5 bytes JMP 00000001001f0970 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!MoveToEx 0000000075728ee6 5 bytes JMP 00000001001f0470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetFontData 0000000075729875 5 bytes JMP 00000001001f0c70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetTextFaceW 0000000075729936 5 bytes JMP 00000001001f0d30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!Rectangle 000000007572a53a 5 bytes JMP 00000001001f09b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetClipBox 000000007572af9f 5 bytes JMP 00000001001f0330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!LineTo 000000007572b9e5 5 bytes JMP 00000001001f0430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SetICMMode 000000007572bd55 5 bytes JMP 00000001001f0db0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!CreateICW 000000007572c040 5 bytes JMP 00000001001f0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32W 000000007572c107 5 bytes JMP 00000001001f0670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SetWorldTransform 000000007572c269 5 bytes JMP 00000001001f06f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetTextMetricsA 000000007572d1f1 5 bytes JMP 00000001001f0df0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetTextExtentPoint32A 000000007572d349 5 bytes JMP 00000001001f0630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!ExtTextOutA 000000007572dce4 5 bytes JMP 00000001001f0930 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!CreateDCW 000000007572e743 5 bytes JMP 00000001001f00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!ExtEscape 00000000757303b7 5 bytes JMP 00000001001f02b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!Escape 0000000075731bda 5 bytes JMP 00000001001f0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetTextFaceA 0000000075731e89 5 bytes JMP 00000001001f0cf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SetPolyFillMode 0000000075734843 5 bytes JMP 00000001001f0b30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SetMiterLimit 0000000075735690 5 bytes JMP 00000001001f0b70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!EndPage 0000000075736bde 5 bytes JMP 00000001001f0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!ResetDCW 000000007573e2db 5 bytes JMP 00000001001f0ab0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!GetGlyphOutlineW 000000007574940d 5 bytes JMP 00000001001f0cb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!CreateScalableFontResourceW 000000007574c621 5 bytes JMP 00000001001f0bb0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!AddFontResourceW 000000007574d2b2 5 bytes JMP 00000001001f0bf0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!RemoveFontResourceW 000000007574d919 5 bytes JMP 00000001001f0c30 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!AbortDoc 0000000075753adc 5 bytes JMP 00000001001f0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!EndDoc 0000000075753f29 5 bytes JMP 00000001001f01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!StartPage 000000007575401a 5 bytes JMP 00000001001f0730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!StartDocW 0000000075754c51 5 bytes JMP 00000001001f07f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!BeginPath 00000000757553fd 5 bytes JMP 00000001001f0830 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!SelectClipPath 0000000075755454 5 bytes JMP 00000001001f0af0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!CloseFigure 00000000757554af 5 bytes JMP 00000001001f0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!EndPath 0000000075755506 5 bytes JMP 00000001001f0a70 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!StrokePath 000000007575573f 5 bytes JMP 00000001001f07b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!FillPath 00000000757557d2 5 bytes JMP 00000001001f0870 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!PolylineTo 0000000075755c44 5 bytes JMP 00000001001f04f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!PolyBezierTo 0000000075755cd5 5 bytes JMP 00000001001f04b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\GDI32.dll!PolyDraw 0000000075755d87 5 bytes JMP 00000001001f08b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!MapWindowPoints 0000000075438c40 5 bytes JMP 00000001002b0570 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatW 0000000075439ebd 5 bytes JMP 00000001002b02b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002c01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!RegisterClipboardFormatA 0000000075440afa 5 bytes JMP 00000001002b02f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetClientRect 0000000075440c62 7 bytes JMP 00000001002b05b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetParent 0000000075440f68 7 bytes JMP 00000001002b06f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!IsWindowVisible 000000007544112d 7 bytes JMP 00000001002b06b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!PostMessageW 00000000754412a5 5 bytes JMP 00000001002b05f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!ScreenToClient 000000007544227d 7 bytes JMP 00000001002b0670 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!MonitorFromWindow 0000000075443150 7 bytes JMP 00000001002b0630 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002c03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!SetCursor 00000000754441f6 5 bytes JMP 00000001002b0530 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameA 00000000754468ef 5 bytes JMP 00000001002b0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 00000001002c0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetClipboardFormatNameW 00000000754477fa 5 bytes JMP 00000001002b0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetTopWindow 0000000075447887 7 bytes JMP 00000001002b0730 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 00000001002c0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!IsClipboardFormatAvailable 0000000075448676 5 bytes JMP 00000001002b00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetClipboardSequenceNumber 0000000075448696 5 bytes JMP 00000001002b0330 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!CloseClipboard 0000000075448e8d 5 bytes JMP 00000001002b00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!OpenClipboard 0000000075448ecb 5 bytes JMP 00000001002b0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!ChangeClipboardChain 000000007544c17b 5 bytes JMP 00000001002b0430 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!EnumClipboardFormats 000000007544c449 5 bytes JMP 00000001002b01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetOpenClipboardWindow 000000007544c468 5 bytes JMP 00000001002b03f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!CountClipboardFormats 000000007544c486 5 bytes JMP 00000001002b01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!SetClipboardViewer 000000007544c4b6 5 bytes JMP 00000001002b04b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!ActivateKeyboardLayout 000000007544d6c0 5 bytes JMP 00000001002b04f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetClipboardOwner 000000007544e360 5 bytes JMP 00000001002b0370 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 00000001002c0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!SetClipboardData 0000000075478e57 5 bytes JMP 00000001002b0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000075479cfd 5 bytes JMP 00000001002b0770 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetClipboardData 0000000075479f1d 5 bytes JMP 00000001002b0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!EmptyClipboard 0000000075497cb9 5 bytes JMP 00000001002b0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetClipboardViewer 0000000075498111 5 bytes JMP 00000001002b0470 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\USER32.dll!GetPriorityClipboardFormat 000000007549832f 5 bytes JMP 00000001002b03b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 00000001002d1014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 00000001002d0804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 00000001002d0a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 00000001002d0c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 00000001002d0e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002d01f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002d03fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 00000001002d0600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!FreeContextBuffer 0000000074ec9606 5 bytes JMP 00000001002e00f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!FreeCredentialsHandle 0000000074ed0581 5 bytes JMP 00000001002e0130 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!DeleteSecurityContext 0000000074ed0bb9 5 bytes JMP 00000001002e0270 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!ApplyControlToken 0000000074ed0c2e 5 bytes JMP 00000001002e01b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!QueryContextAttributesA 0000000074ed0f2e 5 bytes JMP 00000001002e0070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!QueryCredentialsAttributesA 0000000074ed1096 5 bytes JMP 00000001002e00b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!EncryptMessage 0000000074ed124e 5 bytes JMP 00000001002e01f0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!DecryptMessage 0000000074ed129d 5 bytes JMP 00000001002e0230 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!AcquireCredentialsHandleA 0000000074ed1527 5 bytes JMP 00000001002e0030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\SspiCli.dll!InitializeSecurityContextA 0000000074ed1590 5 bytes JMP 00000001002e0170 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\ole32.dll!OleSetClipboard 0000000076a10045 5 bytes JMP 0000000100330030 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\ole32.dll!OleIsCurrentClipboard 0000000076a136b2 5 bytes JMP 0000000100330070 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\ole32.dll!OleGetClipboard 0000000076a3fdcd 5 bytes JMP 00000001003300b0 .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_6_602_168.exe[6064] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 0000000076d6549c 5 bytes JMP 00000001001a0800 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074f11465 2 bytes [F1, 74] .text C:\Program Files (x86)\Common Files\Steam\SteamService.exe[5860] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074f114bb 2 bytes [F1, 74] .text ... * 2 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777efaa0 5 bytes JMP 0000000100030600 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777efb38 5 bytes JMP 0000000100030804 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777efc90 5 bytes JMP 0000000100030c0c .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777f0018 5 bytes JMP 0000000100030a08 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007780c45a 5 bytes JMP 00000001000301f8 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077811217 5 bytes JMP 00000001000303fc .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076c7a30a 1 byte [62] .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 00000000755d5181 5 bytes JMP 0000000100241014 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 00000000755d5254 5 bytes JMP 0000000100240804 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000755d53d5 5 bytes JMP 0000000100240a08 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000755d54c2 5 bytes JMP 0000000100240c0c .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000755d55e2 5 bytes JMP 0000000100240e10 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 00000000755d567c 5 bytes JMP 00000001002401f8 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 00000000755d589f 5 bytes JMP 00000001002403fc .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\SysWOW64\sechost.dll!DeleteService 00000000755d5a22 5 bytes JMP 0000000100240600 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007543ee09 5 bytes JMP 00000001002501f8 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075443982 5 bytes JMP 00000001002503fc .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075447603 5 bytes JMP 0000000100250804 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007544835c 5 bytes JMP 0000000100250600 .text C:\Users\User\Downloads\dpm2bv8r.exe[4860] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007545f52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3352:4656] 000007feff6b0168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3352:4712] 000007fefbf42a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3352:4752] 000007fef0cad618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3352:4884] 000007fef9235124 ---- EOF - GMER 2.1 ----