GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-14 12:48:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JE4O 698,64GB Running: 4fcoig10.exe; Driver: C:\Users\Dominik\AppData\Local\Temp\agriakod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 628 fffff96000164994 8 bytes [98, 40, 27, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000193c00 7 bytes [00, 96, F3, FF, 01, A2, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000193c08 3 bytes [C0, 06, 02] .text ... * 110 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 404 fffff96000252920 6 bytes {JMP QWORD [RIP-0x11de7e]} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0xffffffff88b0ee90} .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0xffffffff88b0e890} .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0xffffffff88b0e590} .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0xffffffff88b0e090} .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0xffffffff88b0db90} .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[680] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\wininit.exe[964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\wininit.exe[964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000149f60440 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000149f60430 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000149f60450 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0xffffffffd294ee90} .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 0000000149f603b0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000149f60320 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000149f60380 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 0000000149f602e0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000149f60410 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 0000000149f602d0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000149f60310 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000149f60390 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 0000000149f603c0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000149f60230 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0xffffffffd294e890} .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000149f60460 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000149f60370 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 0000000149f602f0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000149f60350 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000149f60290 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 0000000149f602b0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 0000000149f603a0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000149f60330 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0xffffffffd294e590} .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 0000000149f603e0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000149f60240 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 0000000149f601e0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000149f60250 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0xffffffffd294e090} .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000149f60470 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000149f60480 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000149f60300 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000149f60360 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 0000000149f602a0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 0000000149f602c0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000149f60340 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000149f60420 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000149f60260 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000149f60270 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 0000000149f603d0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0xffffffffd294db90} .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 0000000149f601f0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000149f60210 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000149f60200 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 0000000149f603f0 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000149f60400 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000149f60220 .text C:\Windows\system32\csrss.exe[992] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000149f60280 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\services.exe[152] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\services.exe[152] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0xffffffff88a5ee90} .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0xffffffff88a5e890} .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0xffffffff88a5e590} .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0xffffffff88a5e090} .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0xffffffff88a5db90} .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[520] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\lsm.exe[532] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\winlogon.exe[732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[940] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\System32\svchost.exe[1104] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0xffffffff88a5ee90} .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0xffffffff88a5e890} .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0xffffffff88a5e590} .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0xffffffff88a5e090} .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0xffffffff88a5db90} .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[1140] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[1176] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[1232] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[1400] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\atieclxx.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\svchost.exe[1748] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\System32\spoolsv.exe[1964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1572] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000000777703b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[2092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010016075c .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001001603a4 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100160b14 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100160ecc .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010016163c .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100161284 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\system32\taskhost.exe[2624] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010016075c .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001001603a4 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100160b14 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100160ecc .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010016163c .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100161284 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\system32\Dwm.exe[2748] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 00000001000a075c .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001000a03a4 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000100070440 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000100070430 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 00000001000a0b14 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 00000001000a0ecc .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000100070450 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0xffffffff88a5ee90} .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000001000a163c .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000100070320 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000100070380 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000001000702e0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000100070410 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000001000702d0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000100070310 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000100070390 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 00000001000a1284 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000001000703c0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000100070230 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0xffffffff88a5e890} .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000100070460 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000100070370 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000001000702f0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000100070350 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000100070290 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000001000702b0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000001000703a0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000100070330 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0xffffffff88a5e590} .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000001000703e0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000100070240 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000001000701e0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000100070250 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0xffffffff88a5e090} .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000100070470 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000100070480 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000100070300 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000100070360 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000100070340 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000100070420 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000100070260 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000100070270 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000001000703d0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0xffffffff88a5db90} .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000001000701f0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000100070210 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000100070200 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000100070400 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000100070220 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000100070280 .text C:\Windows\Explorer.EXE[2756] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\Explorer.EXE[2756] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010010075c .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001001003a4 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100100b14 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100100ecc .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010010163c .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100101284 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\ProgramData\DatacardService\HWDeviceService64.exe[2956] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100030600 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100030804 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100030c0c .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100030a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000301f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000303fc .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 5 bytes JMP 00000001002401f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001002403fc .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 0000000100240804 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 0000000100240600 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 0000000100240a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 0000000100261014 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 0000000100260804 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 0000000100260a08 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 0000000100260c0c .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 0000000100260e10 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001002601f8 .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001002603fc .text C:\ProgramData\DatacardService\DCSHelper.exe[3024] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 0000000100260600 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 00000001002d075c .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001002d03a4 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 00000001002d0b14 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 00000001002d0ecc .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000001002d163c .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 00000001002d1284 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[3056] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010043075c .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001004303a4 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100430b14 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100430ecc .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010043163c .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100431284 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe[2584] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010093075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001009303a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100930b14 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100930ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010093163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100931284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2620] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Program Files\IDT\WDM\sttray64.exe[2824] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[2824] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Program Files\IDT\WDM\sttray64.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Program Files\IDT\WDM\sttray64.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Program Files\IDT\WDM\sttray64.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Program Files\IDT\WDM\sttray64.exe[2824] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Program Files\IDT\WDM\sttray64.exe[2824] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Program Files\IDT\WDM\sttray64.exe[2824] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Program Files\IDT\WDM\sttray64.exe[2824] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 00000001002e075c .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001002e03a4 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 00000001002e0b14 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 00000001002e0ecc .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000001002e163c .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 00000001002e1284 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\System32\igfxtray.exe[2572] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 00000001002e075c .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001002e03a4 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 00000001002e0b14 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 00000001002e0ecc .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000001002e163c .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 00000001002e1284 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\System32\hkcmd.exe[2828] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010032075c .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001003203a4 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100320b14 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100320ecc .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010032163c .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100321284 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\System32\igfxpers.exe[1860] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 3 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\syswow64\USER32.dll!SetWinEventHook + 4 000000007685ee0d 1 byte [89] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3208] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[3232] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 0000000100260600 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3240] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100060600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100060804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100060c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100060a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000601f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000603fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 5 bytes JMP 00000001000c01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001000c03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 00000001000c0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 00000001000c0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 00000001000c0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 00000001000d1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 00000001000d0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 00000001000d0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 00000001000d0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 00000001000d0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001000d01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001000d03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 00000001000d0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[3316] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3408] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[3408] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100030600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100030804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100030c0c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100030a08 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000301f8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000303fc .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 5 bytes JMP 00000001000d01f8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001000d03fc .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 00000001000d0804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 00000001000d0600 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 00000001000d0a08 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 00000001000e1014 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 00000001000e0804 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 00000001000e0a08 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 00000001000e0c0c .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 00000001000e0e10 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001000e01f8 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001000e03fc .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[3508] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 00000001000e0600 .text C:\Windows\system32\svchost.exe[3540] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\system32\svchost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\system32\svchost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\system32\svchost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\system32\svchost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\system32\svchost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\system32\svchost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\system32\svchost.exe[3540] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010028075c .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001002803a4 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100280b14 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100280ecc .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0xffffffff88a5ee90} .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010028163c .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100281284 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0xffffffff88a5e890} .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0xffffffff88a5e590} .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0xffffffff88a5e090} .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0xffffffff88a5db90} .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\System32\svchost.exe[3632] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010014075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001001403a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100140b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100140ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010014163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100141284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3656] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\system32\wbem\unsecapp.exe[4084] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\system32\wbem\unsecapp.exe[4084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\system32\wbem\unsecapp.exe[4084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\system32\wbem\unsecapp.exe[4084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\system32\wbem\unsecapp.exe[4084] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\system32\wbem\unsecapp.exe[4084] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\system32\wbem\unsecapp.exe[4084] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\system32\wbem\unsecapp.exe[4084] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\system32\wbem\unsecapp.exe[3104] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\system32\wbem\unsecapp.exe[3104] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\system32\wbem\unsecapp.exe[3104] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\system32\wbem\unsecapp.exe[3104] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\system32\wbem\unsecapp.exe[3104] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\system32\wbem\unsecapp.exe[3104] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\system32\wbem\unsecapp.exe[3104] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\system32\wbem\unsecapp.exe[3104] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010014075c .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001001403a4 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100140b14 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100140ecc .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010014163c .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100141284 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\system32\SearchIndexer.exe[1380] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2452] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2452] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2452] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2452] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2452] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2452] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2452] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[2452] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\System32\alg.exe[4100] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\System32\alg.exe[4100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\System32\alg.exe[4100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\System32\alg.exe[4100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\System32\alg.exe[4100] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\System32\alg.exe[4100] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\System32\alg.exe[4100] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\System32\alg.exe[4100] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\system32\svchost.exe[4128] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\system32\svchost.exe[4128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\system32\svchost.exe[4128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\system32\svchost.exe[4128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\system32\svchost.exe[4128] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\system32\svchost.exe[4128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\system32\svchost.exe[4128] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\system32\svchost.exe[4128] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010019075c .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001001903a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100190b14 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100190ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 3 bytes JMP 000000010019163c .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess + 4 00000000776115d4 1 byte [88] .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100191284 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\system32\wbem\wmiprvse.exe[4140] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\System32\WUDFHost.exe[4292] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\System32\WUDFHost.exe[4292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\System32\WUDFHost.exe[4292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\System32\WUDFHost.exe[4292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\System32\WUDFHost.exe[4292] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\System32\WUDFHost.exe[4292] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\System32\WUDFHost.exe[4292] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\System32\WUDFHost.exe[4292] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4392] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4392] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4392] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4392] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4392] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4392] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4392] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4392] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010030075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001003003a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100300b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100300ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010030163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100301284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1032] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 00000001003c075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001003c03a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 00000001003c0b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 00000001003c0ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000001003c163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2632] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 00000001003c1284 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3276] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 0000000100160a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4036] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 0000000100160a08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 000000010035075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001003503a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 0000000100350b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 0000000100350ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 000000010035163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 0000000100351284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4996] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 00000000775e3ae0 5 bytes JMP 00000001002d075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000775e7a90 5 bytes JMP 00000001002d03a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000776113c0 5 bytes JMP 0000000077770440 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077611410 5 bytes JMP 0000000077770430 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077611490 5 bytes JMP 00000001002d0b14 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000776114f0 5 bytes JMP 00000001002d0ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000776115c0 1 byte JMP 0000000077770450 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000776115c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000776115d0 5 bytes JMP 00000001002d163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077611680 5 bytes JMP 0000000077770320 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000776116b0 5 bytes JMP 0000000077770380 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077611710 5 bytes JMP 00000000777702e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077611760 5 bytes JMP 0000000077770410 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077611790 5 bytes JMP 00000000777702d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000776117b0 5 bytes JMP 0000000077770310 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000776117f0 5 bytes JMP 0000000077770390 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077611810 5 bytes JMP 00000001002d1284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077611840 5 bytes JMP 00000000777703c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000776119a0 1 byte JMP 0000000077770230 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000776119a2 3 bytes {JMP 0x15e890} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077611b60 5 bytes JMP 0000000077770460 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077611b90 5 bytes JMP 0000000077770370 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077611c70 5 bytes JMP 00000000777702f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077611c80 5 bytes JMP 0000000077770350 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077611ce0 5 bytes JMP 0000000077770290 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077611d70 5 bytes JMP 00000000777702b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077611d90 5 bytes JMP 00000000777703a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077611da0 1 byte JMP 0000000077770330 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077611da2 3 bytes {JMP 0x15e590} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077611e10 5 bytes JMP 00000000777703e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077611e40 5 bytes JMP 0000000077770240 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077612100 5 bytes JMP 00000000777701e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000776121c0 1 byte JMP 0000000077770250 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000776121c2 3 bytes {JMP 0x15e090} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000776121f0 5 bytes JMP 0000000077770470 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077612200 5 bytes JMP 0000000077770480 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077612230 5 bytes JMP 0000000077770300 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077612240 5 bytes JMP 0000000077770360 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000776122a0 5 bytes JMP 00000000777702a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000776122f0 5 bytes JMP 00000000777702c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077612330 5 bytes JMP 0000000077770340 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077612620 5 bytes JMP 0000000077770420 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077612820 5 bytes JMP 0000000077770260 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077612830 5 bytes JMP 0000000077770270 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077612840 1 byte JMP 00000000777703d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077612842 3 bytes {JMP 0x15db90} .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077612a00 5 bytes JMP 00000000777701f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077612a10 5 bytes JMP 0000000077770210 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077612a80 5 bytes JMP 0000000077770200 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077612ae0 5 bytes JMP 00000000777703f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077612af0 5 bytes JMP 0000000077770400 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077612b00 5 bytes JMP 0000000077770220 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077612be0 5 bytes JMP 0000000077770280 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000772aeecd 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff4f6e00 5 bytes JMP 000007ff7f511dac .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff4f6f2c 5 bytes JMP 000007ff7f510ecc .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff4f7220 5 bytes JMP 000007ff7f511284 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff4f739c 5 bytes JMP 000007ff7f51163c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff4f7538 5 bytes JMP 000007ff7f5119f4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff4f75e8 5 bytes JMP 000007ff7f5103a4 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff4f790c 5 bytes JMP 000007ff7f51075c .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[936] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff4f7ab4 5 bytes JMP 000007ff7f510b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 3 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\syswow64\USER32.dll!SetWinEventHook + 4 000000007685ee0d 1 byte [89] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 5 bytes JMP 00000001003101f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076862da4 5 bytes JMP 000000016c1d9ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001003103fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 0000000100310804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 0000000100310600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007687cbf3 5 bytes JMP 000000016c328f36 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007687cfca 3 bytes JMP 000000016c131893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!DialogBoxParamW + 4 000000007687cfce 1 byte [F5] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 0000000100310a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007689cb0c 5 bytes JMP 000000016c328ed1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007689ce64 5 bytes JMP 000000016c328f9b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000768afbd1 5 bytes JMP 000000016c328e58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000768afc9d 5 bytes JMP 000000016c328ddf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000768afcd6 5 bytes JMP 000000016c328d7b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000768afcfa 5 bytes JMP 000000016c328d17 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076c693ec 5 bytes JMP 000000016c329150 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000722b388e 5 bytes JMP 000000016c329000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000072357922 5 bytes JMP 000000016c3290a8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1948] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076672694 5 bytes JMP 000000016c329348 ? C:\Windows\system32\mssprxy.dll [1948] entry point in ".rdata" section 000000006af271e6 ? C:\Windows\System32\NLSData0000.dll [1948] entry point in ".rdata" section 0000000066e9c541 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000777bfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000777bfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000777bfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000777c0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 00000000777d25fd 6 bytes JMP 000000016c1f8054 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000777dc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000777e1217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 00000000777e2a63 6 bytes JMP 000000016c19980d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\KERNEL32.dll!CreateThread 00000000769d34b5 5 bytes JMP 000000016c1975e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000074f15181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000074f15254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000074f153d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000074f154c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000074f155e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000074f1567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000074f1589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000074f15a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076858a29 5 bytes JMP 000000016c2003df .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!CreateWindowExA 000000007685d22e 5 bytes JMP 000000016c1a3643 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007685ee09 5 bytes JMP 00000001003901f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000076862da4 5 bytes JMP 000000016c1d9ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076863982 5 bytes JMP 00000001003903fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076866285 5 bytes JMP 000000016c1f7ff1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076867603 5 bytes JMP 000000016c1d25b4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007686835c 5 bytes JMP 0000000100390600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 000000007687cbf3 5 bytes JMP 000000016c328f36 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007687cfca 3 bytes JMP 000000016c131893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!DialogBoxParamW + 4 000000007687cfce 1 byte [F5] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007687f52b 5 bytes JMP 000000016c21ed14 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 000000007689cb0c 5 bytes JMP 000000016c328ed1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 000000007689ce64 5 bytes JMP 000000016c328f9b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 00000000768afbd1 5 bytes JMP 000000016c328e58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 00000000768afc9d 5 bytes JMP 000000016c328ddf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!MessageBoxExA 00000000768afcd6 5 bytes JMP 000000016c328d7b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\USER32.dll!MessageBoxExW 00000000768afcfa 5 bytes JMP 000000016c328d17 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075036143 5 bytes JMP 000000016c329704 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076c03e59 5 bytes JMP 000000016c3297fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076c03eae 5 bytes JMP 000000016c32987a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076c04731 5 bytes JMP 000000016c32976e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076c05dee 5 bytes JMP 000000016c32981a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076c693ec 5 bytes JMP 000000016c329150 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000769b1465 2 bytes [9B, 76] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000769b14bb 2 bytes [9B, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 00000000722b388e 5 bytes JMP 000000016c329000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 0000000072357922 5 bytes JMP 000000016c3290a8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3436] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 0000000076672694 5 bytes JMP 000000016c329348 .text C:\Users\Dominik\Desktop\4fcoig10.exe[3556] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000769fa30a 1 byte [62] ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3632:6036] 000007fef5c79688 ---- EOF - GMER 2.1 ----