GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-19 00:34:02 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-75ZCT2 rev.11.01A11 298,09GB Running: fb5ke5qk.exe; Driver: C:\Users\Admin\AppData\Local\Temp\uwddakob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0xffffffff8898ee90} .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0xffffffff8898e890} .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0xffffffff8898e590} .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0xffffffff8898e090} .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0xffffffff8898db90} .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[412] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\wininit.exe[480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\wininit.exe[480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 0000000149ae0440 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 0000000149ae0430 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 0000000149ae0450 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0xffffffffd234ee90} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 0000000149ae03b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 0000000149ae0320 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 0000000149ae0380 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 0000000149ae02e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 0000000149ae0410 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 0000000149ae02d0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 0000000149ae0310 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 0000000149ae0390 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 0000000149ae03c0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 0000000149ae0230 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0xffffffffd234e890} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 0000000149ae0460 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 0000000149ae0370 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 0000000149ae02f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 0000000149ae0350 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 0000000149ae0290 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 0000000149ae02b0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 0000000149ae03a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 0000000149ae0330 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0xffffffffd234e590} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 0000000149ae03e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 0000000149ae0240 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 0000000149ae01e0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 0000000149ae0250 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0xffffffffd234e090} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 0000000149ae0470 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 0000000149ae0480 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 0000000149ae0300 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 0000000149ae0360 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 0000000149ae02a0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 0000000149ae02c0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 0000000149ae0340 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 0000000149ae0420 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 0000000149ae0260 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 0000000149ae0270 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 0000000149ae03d0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0xffffffffd234db90} .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 0000000149ae01f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 0000000149ae0210 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 0000000149ae0200 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 0000000149ae03f0 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 0000000149ae0400 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 0000000149ae0220 .text C:\Windows\system32\csrss.exe[508] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 0000000149ae0280 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\services.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\services.exe[560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0xffffffff888dee90} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0xffffffff888de890} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0xffffffff888de590} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0xffffffff888de090} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0xffffffff888ddb90} .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsass.exe[576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\lsass.exe[576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\lsm.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[700] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\winlogon.exe[736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\atiesrxx.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\System32\svchost.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\System32\svchost.exe[408] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[492] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[1048] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[1148] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\atieclxx.exe[1272] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\WLANExt.exe[1432] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\conhost.exe[1440] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000000778f03b0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\System32\spoolsv.exe[1584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0xffffffff888dee90} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0xffffffff888de890} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0xffffffff888de590} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0xffffffff888de090} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0xffffffff888ddb90} .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1912] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1912] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1912] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 000000010046075c .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001004603a4 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 0000000100460b14 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 0000000100460ecc .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 000000010046163c .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 0000000100461284 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Program Files\Bonjour\mDNSResponder.exe[1120] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001000d01f8 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001000d03fc .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 00000001000d0804 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 00000001000d0600 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 00000001000d0a08 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 00000001000e1014 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 00000001000e0804 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 00000001000e0a08 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 00000001000e0c0c .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 00000001000e0e10 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001000e01f8 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001000e03fc .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 00000001000e0600 .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Users\Admin\AppData\Roaming\DefaultTab\DefaultTab\DTUpdate.exe[1404] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1748] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 000000010024075c .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001002403a4 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 0000000100240b14 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 0000000100240ecc .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 000000010024163c .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 0000000100241284 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Windows\system32\svchost.exe[2116] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 00000001002e075c .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001002e03a4 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 00000001002e0b14 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 00000001002e0ecc .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000001002e163c .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 00000001002e1284 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Windows\system32\taskhost.exe[2544] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 00000001003b075c .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001003b03a4 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 00000001003b0b14 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 00000001003b0ecc .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000001003b163c .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 00000001003b1284 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\Explorer.EXE[2888] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Windows\Explorer.EXE[2888] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 000000010017075c .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001001703a4 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 0000000100170b14 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 0000000100170ecc .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 000000010017163c .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 0000000100171284 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Windows\system32\Dwm.exe[2460] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 00000001003b075c .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001003b03a4 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 00000001003b0b14 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 00000001003b0ecc .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000001003b163c .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 00000001003b1284 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Program Files\IDT\WDM\sttray64.exe[3036] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 00000001001a075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001001a03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 00000001001a0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 00000001001a0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000001001a163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 00000001001a1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3068] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\McAfee Security Scan\3.0.318\SSScheduler.exe[3216] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001002401f8 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001002403fc .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100240804 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100240600 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100240a08 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100261014 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100260804 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100260a08 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100260c0c .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100260e10 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001002601f8 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001002603fc .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100260600 .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Users\Admin\AppData\Roaming\Dropbox\bin\Dropbox.exe[3248] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 000000010040075c .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001004003a4 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 0000000100400b14 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 0000000100400ecc .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 000000010040163c .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 0000000100401284 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Windows\system32\svchost.exe[3400] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3808] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100111014 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100110c0c .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100110e10 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Search Results Toolbar\Datamngr\datamngrUI.exe[3824] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\iTunesHelper.exe[3856] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100111014 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100110804 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100110a08 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100110c0c .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100110e10 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001001101f8 .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001001103fc .text C:\iTunesHelper.exe[3856] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100110600 .text C:\iTunesHelper.exe[3856] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001002701f8 .text C:\iTunesHelper.exe[3856] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001002703fc .text C:\iTunesHelper.exe[3856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100270804 .text C:\iTunesHelper.exe[3856] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100270600 .text C:\iTunesHelper.exe[3856] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\iTunesHelper.exe[3856] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100270a08 .text C:\iTunesHelper.exe[3856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\iTunesHelper.exe[3856] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 000000010046075c .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001004603a4 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 0000000100460b14 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 0000000100460ecc .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 000000010046163c .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 0000000100461284 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Program Files\iPod\bin\iPodService.exe[432] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100151014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100150c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100150e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2720] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007793f991 7 bytes {MOV EDX, 0xcf0a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100d50600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100d50804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007793fbd5 7 bytes {MOV EDX, 0xcf0a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007793fc05 7 bytes {MOV EDX, 0xcf09a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007793fc1d 7 bytes {MOV EDX, 0xcf0928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007793fc35 7 bytes {MOV EDX, 0xcf0b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc65 7 bytes {MOV EDX, 0xcf0b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100d50c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007793fce5 7 bytes {MOV EDX, 0xcf0ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007793fcfd 7 bytes {MOV EDX, 0xcf0aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007793fd49 7 bytes {MOV EDX, 0xcf0868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007793fe41 7 bytes {MOV EDX, 0xcf08a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100d50a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077940099 7 bytes {MOV EDX, 0xcf0828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779410a5 7 bytes {MOV EDX, 0xcf09e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007794111d 7 bytes {MOV EDX, 0xcf0968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077941321 7 bytes {MOV EDX, 0xcf08e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 0000000100d501f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 0000000100d503fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 0000000100d601f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 0000000100d603fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100d60804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100d60600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100d60a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100df1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100df0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100df0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100df0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100df0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 0000000100df01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 0000000100df03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100df0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007793f991 7 bytes {MOV EDX, 0x8f6e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 00000001009c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 00000001009c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007793fbd5 7 bytes {MOV EDX, 0x8f6e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007793fc05 7 bytes {MOV EDX, 0x8f6da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007793fc1d 7 bytes {MOV EDX, 0x8f6d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007793fc35 7 bytes {MOV EDX, 0x8f6f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc65 7 bytes {MOV EDX, 0x8f6f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 00000001009c0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007793fce5 7 bytes {MOV EDX, 0x8f6ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007793fcfd 7 bytes {MOV EDX, 0x8f6ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007793fd49 7 bytes {MOV EDX, 0x8f6c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007793fe41 7 bytes {MOV EDX, 0x8f6ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 00000001009c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077940099 7 bytes {MOV EDX, 0x8f6c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779410a5 7 bytes {MOV EDX, 0x8f6de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007794111d 7 bytes {MOV EDX, 0x8f6d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077941321 7 bytes {MOV EDX, 0x8f6ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001009c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001009c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001009d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001009d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 00000001009d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 00000001009d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 00000001009d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 00000001009e1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 00000001009e0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 00000001009e0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 00000001009e0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 00000001009e0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001009e01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001009e03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 00000001009e0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2796] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[2940] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 00000001003d075c .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001003d03a4 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 00000001003d0b14 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 00000001003d0ecc .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000001003d163c .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 00000001003d1284 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Windows\System32\svchost.exe[524] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007793f991 7 bytes {MOV EDX, 0x1050628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 00000001010b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 00000001010b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007793fbd5 7 bytes {MOV EDX, 0x1050668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007793fc05 7 bytes {MOV EDX, 0x10505a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007793fc1d 7 bytes {MOV EDX, 0x1050528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007793fc35 7 bytes {MOV EDX, 0x1050728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc65 7 bytes {MOV EDX, 0x1050768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 00000001010b0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007793fce5 7 bytes {MOV EDX, 0x10506e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007793fcfd 7 bytes {MOV EDX, 0x10506a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007793fd49 7 bytes {MOV EDX, 0x1050468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007793fe41 7 bytes {MOV EDX, 0x10504a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 00000001010b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077940099 7 bytes {MOV EDX, 0x1050428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779410a5 7 bytes {MOV EDX, 0x10505e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007794111d 7 bytes {MOV EDX, 0x1050568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077941321 7 bytes {MOV EDX, 0x10504e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001010b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001010b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001010c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001010c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 00000001010c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 00000001010c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 00000001010c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 00000001010d1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 00000001010d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 00000001010d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 00000001010d0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 00000001010d0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001010d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001010d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 00000001010d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4424] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007793f991 7 bytes {MOV EDX, 0xb73a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100c90600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100c90804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007793fbd5 7 bytes {MOV EDX, 0xb73a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007793fc05 7 bytes {MOV EDX, 0xb739a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007793fc1d 7 bytes {MOV EDX, 0xb73928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007793fc35 7 bytes {MOV EDX, 0xb73b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc65 7 bytes {MOV EDX, 0xb73b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100c90c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007793fce5 7 bytes {MOV EDX, 0xb73ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007793fcfd 7 bytes {MOV EDX, 0xb73aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007793fd49 7 bytes {MOV EDX, 0xb73868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007793fe41 7 bytes {MOV EDX, 0xb738a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100c90a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077940099 7 bytes {MOV EDX, 0xb73828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779410a5 7 bytes {MOV EDX, 0xb739e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007794111d 7 bytes {MOV EDX, 0xb73968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077941321 7 bytes {MOV EDX, 0xb738e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 0000000100c901f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 0000000100c903fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 0000000100d201f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 0000000100d203fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100d20804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100d20600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100d20a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100d31014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100d30804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100d30a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100d30c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100d30e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 0000000100d301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 0000000100d303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100d30600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 00000001003a075c .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001003a03a4 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 00000001003a0b14 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 00000001003a0ecc .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 00000001003a163c .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 00000001003a1284 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Windows\system32\SearchIndexer.exe[2756] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 3 bytes JMP 0000000100121014 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 4 0000000075415185 1 byte [8A] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100120804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100120a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100120c0c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100120e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001001201f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001001203fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100120600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2488] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007793f991 7 bytes {MOV EDX, 0x65ae28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 00000001006b0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 00000001006b0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007793fbd5 7 bytes {MOV EDX, 0x65ae68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007793fc05 7 bytes {MOV EDX, 0x65ada8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007793fc1d 7 bytes {MOV EDX, 0x65ad28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007793fc35 7 bytes {MOV EDX, 0x65af28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc65 7 bytes {MOV EDX, 0x65af68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 00000001006b0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007793fce5 7 bytes {MOV EDX, 0x65aee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007793fcfd 7 bytes {MOV EDX, 0x65aea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007793fd49 7 bytes {MOV EDX, 0x65ac68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007793fe41 7 bytes {MOV EDX, 0x65aca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 00000001006b0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077940099 7 bytes {MOV EDX, 0x65ac28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779410a5 7 bytes {MOV EDX, 0x65ade8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007794111d 7 bytes {MOV EDX, 0x65ad68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077941321 7 bytes {MOV EDX, 0x65ace8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001006b01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001006b03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001006c01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001006c03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 00000001006c0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 00000001006c0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 00000001006c0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 00000001006d1014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 00000001006d0804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 00000001006d0a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 00000001006d0c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 00000001006d0e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001006d01f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001006d03fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 00000001006d0600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007793f991 7 bytes {MOV EDX, 0xea3e28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000101100600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000101100804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007793fbd5 7 bytes {MOV EDX, 0xea3e68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007793fc05 7 bytes {MOV EDX, 0xea3da8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007793fc1d 7 bytes {MOV EDX, 0xea3d28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007793fc35 7 bytes {MOV EDX, 0xea3f28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc65 7 bytes {MOV EDX, 0xea3f68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000101100c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007793fce5 7 bytes {MOV EDX, 0xea3ee8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007793fcfd 7 bytes {MOV EDX, 0xea3ea8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007793fd49 7 bytes {MOV EDX, 0xea3c68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007793fe41 7 bytes {MOV EDX, 0xea3ca8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000101100a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077940099 7 bytes {MOV EDX, 0xea3c28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779410a5 7 bytes {MOV EDX, 0xea3de8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007794111d 7 bytes {MOV EDX, 0xea3d68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077941321 7 bytes {MOV EDX, 0xea3ce8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001011001f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001011003fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001011101f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001011103fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000101110804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000101110600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000101110a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 3 bytes JMP 0000000101121014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 4 0000000075415185 1 byte [8B] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000101120804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000101120a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000101120c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000101120e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001011201f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001011203fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000101120600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4320] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007793f991 7 bytes {MOV EDX, 0xe38628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100f10600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100f10804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007793fbd5 7 bytes {MOV EDX, 0xe38668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007793fc05 7 bytes {MOV EDX, 0xe385a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007793fc1d 7 bytes {MOV EDX, 0xe38528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007793fc35 7 bytes {MOV EDX, 0xe38728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007793fc65 7 bytes {MOV EDX, 0xe38768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100f10c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007793fce5 7 bytes {MOV EDX, 0xe386e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007793fcfd 7 bytes {MOV EDX, 0xe386a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007793fd49 7 bytes {MOV EDX, 0xe38468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007793fe41 7 bytes {MOV EDX, 0xe384a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100f10a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077940099 7 bytes {MOV EDX, 0xe38428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779410a5 7 bytes {MOV EDX, 0xe385e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007794111d 7 bytes {MOV EDX, 0xe38568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077941321 7 bytes {MOV EDX, 0xe384e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 0000000100f101f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 0000000100f103fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 0000000100f201f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 0000000100f203fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100f20804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100f20600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100f20a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100f31014 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100f30804 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100f30a08 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100f30c0c .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100f30e10 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 0000000100f301f8 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 0000000100f303fc .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100f30600 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[928] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077763ae0 5 bytes JMP 000000010015075c .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077767a90 5 bytes JMP 00000001001503a4 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777913c0 5 bytes JMP 00000000778f0440 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077791410 5 bytes JMP 00000000778f0430 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077791490 5 bytes JMP 0000000100150b14 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777914f0 5 bytes JMP 0000000100150ecc .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777915c0 1 byte JMP 00000000778f0450 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000777915c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000777915d0 5 bytes JMP 000000010015163c .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077791680 5 bytes JMP 00000000778f0320 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000777916b0 5 bytes JMP 00000000778f0380 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077791710 5 bytes JMP 00000000778f02e0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077791760 5 bytes JMP 00000000778f0410 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077791790 5 bytes JMP 00000000778f02d0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777917b0 5 bytes JMP 00000000778f0310 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000777917f0 5 bytes JMP 00000000778f0390 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077791810 5 bytes JMP 0000000100151284 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077791840 5 bytes JMP 00000000778f03c0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777919a0 1 byte JMP 00000000778f0230 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777919a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077791b60 5 bytes JMP 00000000778f0460 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077791b90 5 bytes JMP 00000000778f0370 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077791c70 5 bytes JMP 00000000778f02f0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077791c80 5 bytes JMP 00000000778f0350 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077791ce0 5 bytes JMP 00000000778f0290 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077791d70 5 bytes JMP 00000000778f02b0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077791d90 5 bytes JMP 00000000778f03a0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077791da0 1 byte JMP 00000000778f0330 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077791da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077791e10 5 bytes JMP 00000000778f03e0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077791e40 5 bytes JMP 00000000778f0240 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077792100 5 bytes JMP 00000000778f01e0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777921c0 1 byte JMP 00000000778f0250 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777921c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777921f0 5 bytes JMP 00000000778f0470 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077792200 5 bytes JMP 00000000778f0480 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077792230 5 bytes JMP 00000000778f0300 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077792240 5 bytes JMP 00000000778f0360 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777922a0 5 bytes JMP 00000000778f02a0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777922f0 5 bytes JMP 00000000778f02c0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077792330 5 bytes JMP 00000000778f0340 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077792620 5 bytes JMP 00000000778f0420 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077792820 5 bytes JMP 00000000778f0260 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077792830 5 bytes JMP 00000000778f0270 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077792840 1 byte JMP 00000000778f03d0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077792842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077792a00 5 bytes JMP 00000000778f01f0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077792a10 5 bytes JMP 00000000778f0210 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077792a80 5 bytes JMP 00000000778f0200 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077792ae0 5 bytes JMP 00000000778f03f0 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077792af0 5 bytes JMP 00000000778f0400 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077792b00 5 bytes JMP 00000000778f0220 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077792be0 5 bytes JMP 00000000778f0280 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000770beecd 1 byte [62] .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007feff556e00 5 bytes JMP 000007ff7f571dac .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007feff556f2c 5 bytes JMP 000007ff7f570ecc .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007feff557220 5 bytes JMP 000007ff7f571284 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007feff55739c 5 bytes JMP 000007ff7f57163c .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007feff557538 5 bytes JMP 000007ff7f5719f4 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007feff5575e8 5 bytes JMP 000007ff7f5703a4 .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007feff55790c 5 bytes JMP 000007ff7f57075c .text C:\Windows\system32\prevhost.exe[3080] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007feff557ab4 5 bytes JMP 000007ff7f570b14 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007793faa0 5 bytes JMP 0000000100030600 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007793fb38 5 bytes JMP 0000000100030804 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 000000007793fc90 5 bytes JMP 0000000100030c0c .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077940018 5 bytes JMP 0000000100030a08 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007795c45a 5 bytes JMP 00000001000301f8 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077961217 5 bytes JMP 00000001000303fc .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007591a30a 1 byte [62] .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075415181 5 bytes JMP 0000000100241014 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075415254 5 bytes JMP 0000000100240804 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000754153d5 5 bytes JMP 0000000100240a08 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000754154c2 5 bytes JMP 0000000100240c0c .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000754155e2 5 bytes JMP 0000000100240e10 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007541567c 5 bytes JMP 00000001002401f8 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007541589f 5 bytes JMP 00000001002403fc .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075415a22 5 bytes JMP 0000000100240600 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007696ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000076973982 5 bytes JMP 00000001002503fc .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076977603 5 bytes JMP 0000000100250804 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007697835c 5 bytes JMP 0000000100250600 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 000000007698cfca 5 bytes JMP 00000001729d44c0 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007698f52b 5 bytes JMP 0000000100250a08 .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075431465 2 bytes [43, 75] .text C:\Users\Admin\Desktop\Naprawa kompa\fb5ke5qk.exe[2372] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000754314bb 2 bytes [43, 75] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [524:4404] 000007fef1d39688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4000:4132] 000007feff2b0168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4000:4156] 000007fefc0a2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4000:4164] 000007fef239d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4000:4388] 000007fefa1e5124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4000:1092] 000007fef2339730 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4000:4840] 000007fef239d618 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{FF99C270-AB32-44BC-87C3-66D3F11DBD6D}\Connection@Name isatap.{6375DF0A-4847-4C46-923C-ED866F041DEB} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{84E2C0EE-320F-489B-96B6-18FBE1D22A38}?\Device\{4C241773-66AB-4959-B36E-93C5499B4EF7}?\Device\{FF99C270-AB32-44BC-87C3-66D3F11DBD6D}?\Device\{5F650FC8-9CF6-4AF6-845F-E21F801993C5}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{84E2C0EE-320F-489B-96B6-18FBE1D22A38}"?"{4C241773-66AB-4959-B36E-93C5499B4EF7}"?"{FF99C270-AB32-44BC-87C3-66D3F11DBD6D}"?"{5F650FC8-9CF6-4AF6-845F-E21F801993C5}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{84E2C0EE-320F-489B-96B6-18FBE1D22A38}?\Device\TCPIP6TUNNEL_{4C241773-66AB-4959-B36E-93C5499B4EF7}?\Device\TCPIP6TUNNEL_{FF99C270-AB32-44BC-87C3-66D3F11DBD6D}?\Device\TCPIP6TUNNEL_{5F650FC8-9CF6-4AF6-845F-E21F801993C5}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{FF99C270-AB32-44BC-87C3-66D3F11DBD6D}@InterfaceName isatap.{6375DF0A-4847-4C46-923C-ED866F041DEB} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{FF99C270-AB32-44BC-87C3-66D3F11DBD6D}@ReusableType 0 ---- EOF - GMER 2.1 ----