GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-29 18:38:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.FG01 298,09GB Running: gxu6wt2x.exe; Driver: C:\Users\Kwasek\AppData\Local\Temp\ufdiipoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 0000000077910370 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 0000000077910320 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 0000000077910310 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 0000000077910200 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 0000000077910220 .text C:\Windows\system32\csrss.exe[504] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 5 bytes JMP 0000000077910380 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 0000000077910370 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 0000000077910390 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 0000000077910320 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 00000000779102e0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 00000000779102d0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 0000000077910310 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 0000000077910230 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 00000000779103a0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 00000000779102f0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 0000000077910350 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 0000000077910290 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 00000000779102b0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 0000000077910330 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 0000000077910240 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 00000000779101e0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 0000000077910250 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 00000000779103b0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 00000000779103c0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 0000000077910300 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 0000000077910360 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 00000000779102a0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 00000000779102c0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 0000000077910340 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 0000000077910260 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 0000000077910270 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 00000000779101f0 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 0000000077910210 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 0000000077910200 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 0000000077910220 .text C:\Windows\system32\csrss.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 0000000077910280 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 000000010018075c .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 0000000100181284 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\services.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\services.exe[664] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 000000010032075c .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001003203a4 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 0000000100320b14 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 0000000100320ecc .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 0000000100321284 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\lsass.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[820] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda86e00 5 bytes JMP 000007ff7daa1dac .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda86f2c 5 bytes JMP 000007ff7daa0ecc .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda87220 5 bytes JMP 000007ff7daa1284 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda8739c 5 bytes JMP 000007ff7daa163c .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda87538 5 bytes JMP 000007ff7daa19f4 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda875e8 5 bytes JMP 000007ff7daa03a4 .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda8790c 5 bytes JMP 000007ff7daa075c .text C:\Windows\system32\svchost.exe[916] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda87ab4 5 bytes JMP 000007ff7daa0b14 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 000000010020075c .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001002003a4 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 0000000100200b14 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 0000000100200ecc .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 0000000100201284 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[368] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[368] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 00000001001b075c .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001001b03a4 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 00000001001b0b14 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 00000001001b0ecc .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 00000001001b1284 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\System32\svchost.exe[536] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda86e00 5 bytes JMP 000007ff7daa1dac .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda86f2c 5 bytes JMP 000007ff7daa0ecc .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda87220 5 bytes JMP 000007ff7daa1284 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda8739c 5 bytes JMP 000007ff7daa163c .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda87538 5 bytes JMP 000007ff7daa19f4 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda875e8 5 bytes JMP 000007ff7daa03a4 .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda8790c 5 bytes JMP 000007ff7daa075c .text C:\Windows\System32\svchost.exe[536] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda87ab4 5 bytes JMP 000007ff7daa0b14 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 000000010019075c .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001001903a4 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 0000000100190b14 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 0000000100190ecc .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 0000000100191284 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[608] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda86e00 5 bytes JMP 000007ff7daa1dac .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda86f2c 5 bytes JMP 000007ff7daa0ecc .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda87220 5 bytes JMP 000007ff7daa1284 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda8739c 5 bytes JMP 000007ff7daa163c .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda87538 5 bytes JMP 000007ff7daa19f4 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda875e8 5 bytes JMP 000007ff7daa03a4 .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda8790c 5 bytes JMP 000007ff7daa075c .text C:\Windows\system32\svchost.exe[608] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda87ab4 5 bytes JMP 000007ff7daa0b14 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda86e00 5 bytes JMP 000007ff7daa1dac .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda86f2c 5 bytes JMP 000007ff7daa0ecc .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda87220 5 bytes JMP 000007ff7daa1284 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda8739c 5 bytes JMP 000007ff7daa163c .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda87538 5 bytes JMP 000007ff7daa19f4 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda875e8 5 bytes JMP 000007ff7daa03a4 .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda8790c 5 bytes JMP 000007ff7daa075c .text C:\Windows\system32\svchost.exe[1120] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda87ab4 5 bytes JMP 000007ff7daa0b14 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 000000010019075c .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001001903a4 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 0000000100190b14 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 0000000100190ecc .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 0000000100191284 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1216] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\Dwm.exe[1568] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 00000001003c075c .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001003c03a4 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 00000001003c0b14 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 00000001003c0ecc .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 00000001003c1284 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\Explorer.EXE[1576] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda86e00 5 bytes JMP 000007ff7daa1dac .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda86f2c 5 bytes JMP 000007ff7daa0ecc .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda87220 5 bytes JMP 000007ff7daa1284 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda8739c 5 bytes JMP 000007ff7daa163c .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda87538 5 bytes JMP 000007ff7daa19f4 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda875e8 5 bytes JMP 000007ff7daa03a4 .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda8790c 5 bytes JMP 000007ff7daa075c .text C:\Windows\Explorer.EXE[1576] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda87ab4 5 bytes JMP 000007ff7daa0b14 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e85181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e85254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e853d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e854c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e855e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e8567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e8589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe[1764] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e85a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 0000000100180600 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 0000000100180804 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[1820] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 0000000100180a08 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[1820] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001001801f8 .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[1820] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001001803fc .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[1820] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000758b8799 5 bytes [33, C0, C2, 04, 00] .text C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exe[1820] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Windows\SysWOW64\ntdll.dll[1192] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e85181 5 bytes JMP 0000000100261014 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e85254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e853d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e854c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e855e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e8567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e8589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\System Control Manager\MGSysCtrl.exe[1652] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e85a22 5 bytes JMP 0000000100260600 .text C:\Windows\SysWOW64\ntdll.dll[1456] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 00000001001d0600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 00000001001d0804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1300] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 00000001001d0a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1300] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001001d01f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1300] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001001d03fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1300] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 5 bytes JMP 0000000077910380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 0000000077910370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 0000000077910390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 0000000077910320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 00000000779102e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 00000000779102d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 0000000077910310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 0000000077910230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 00000000779103a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 00000000779102f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 0000000077910350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 0000000077910290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 00000000779102b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 0000000077910330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 0000000077910240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 00000000779101e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 0000000077910250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 00000000779103b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 00000000779103c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 0000000077910300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 0000000077910360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 00000000779102a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 00000000779102c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 0000000077910340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 0000000077910260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 0000000077910270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 00000000779101f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 0000000077910210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 0000000077910200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 0000000077910220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[2428] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 0000000077910280 .text C:\Windows\syswow64\svchost.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 0000000100090600 .text C:\Windows\syswow64\svchost.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 0000000100090804 .text C:\Windows\syswow64\svchost.exe[2592] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 0000000100090a08 .text C:\Windows\syswow64\svchost.exe[2592] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001000901f8 .text C:\Windows\syswow64\svchost.exe[2592] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001000903fc .text C:\Windows\syswow64\svchost.exe[2592] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 00000001003b075c .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001003b03a4 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 00000001003b0b14 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 00000001003b0ecc .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 00000001003b1284 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda86e00 5 bytes JMP 000007ff7daa1dac .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda86f2c 5 bytes JMP 000007ff7daa0ecc .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda87220 5 bytes JMP 000007ff7daa1284 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda8739c 5 bytes JMP 000007ff7daa163c .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda87538 5 bytes JMP 000007ff7daa19f4 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda875e8 5 bytes JMP 000007ff7daa03a4 .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda8790c 5 bytes JMP 000007ff7daa075c .text C:\Windows\system32\svchost.exe[3028] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda87ab4 5 bytes JMP 000007ff7daa0b14 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2276] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3892] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda86e00 5 bytes JMP 000007ff7daa1dac .text C:\Windows\system32\wbem\wmiprvse.exe[3892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda86f2c 5 bytes JMP 000007ff7daa0ecc .text C:\Windows\system32\wbem\wmiprvse.exe[3892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda87220 5 bytes JMP 000007ff7daa1284 .text C:\Windows\system32\wbem\wmiprvse.exe[3892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda8739c 5 bytes JMP 000007ff7daa163c .text C:\Windows\system32\wbem\wmiprvse.exe[3892] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda87538 5 bytes JMP 000007ff7daa19f4 .text C:\Windows\system32\wbem\wmiprvse.exe[3892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda875e8 5 bytes JMP 000007ff7daa03a4 .text C:\Windows\system32\wbem\wmiprvse.exe[3892] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda8790c 5 bytes JMP 000007ff7daa075c .text C:\Windows\system32\wbem\wmiprvse.exe[3892] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda87ab4 5 bytes JMP 000007ff7daa0b14 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 000000010010075c .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001001003a4 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 0000000100100b14 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 0000000100100ecc .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 0000000100101284 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefda86e00 5 bytes JMP 000007ff7daa1dac .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefda86f2c 5 bytes JMP 000007ff7daa0ecc .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefda87220 5 bytes JMP 000007ff7daa1284 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefda8739c 5 bytes JMP 000007ff7daa163c .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefda87538 5 bytes JMP 000007ff7daa19f4 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefda875e8 5 bytes JMP 000007ff7daa03a4 .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefda8790c 5 bytes JMP 000007ff7daa075c .text C:\Windows\system32\SearchIndexer.exe[4036] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefda87ab4 5 bytes JMP 000007ff7daa0b14 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 000000010020075c .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001002003a4 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 0000000100200b14 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 0000000100200ecc .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 0000000100201284 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\svchost.exe[1712] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[2496] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[252] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e85181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e85254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e853d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e854c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e855e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e8567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e8589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e85a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 0000000067f911a8 2 bytes [F9, 67] .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 0000000067f913a8 2 bytes [F9, 67] .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000067f91422 2 bytes [F9, 67] .text C:\Program Files (x86)\PLAY ONLINE\UIMain.exe[2632] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000067f91498 2 bytes [F9, 67] .text C:\Program Files (x86)\PLAY ONLINE\CMUpdater.exe[2208] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000777b13c0 4 bytes JMP 000000007fff0380 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00000000777b1410 5 bytes JMP 000000007fff0370 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000777b15c0 5 bytes JMP 000000007fff0390 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00000000777b1680 5 bytes JMP 000000007fff0320 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00000000777b1710 5 bytes JMP 000000007fff02e0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00000000777b1790 5 bytes JMP 000000007fff02d0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000777b17b0 5 bytes JMP 000000007fff0310 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000777b19a0 1 byte JMP 000000007fff0230 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000777b19a2 3 bytes {JMP 0x883e890} .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00000000777b1b60 5 bytes JMP 000000007fff03a0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00000000777b1c70 5 bytes JMP 000000007fff02f0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00000000777b1c80 5 bytes JMP 000000007fff0350 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00000000777b1ce0 5 bytes JMP 000000007fff0290 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00000000777b1d70 5 bytes JMP 000000007fff02b0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00000000777b1da0 1 byte JMP 000000007fff0330 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 00000000777b1da2 3 bytes {JMP 0x883e590} .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00000000777b1e40 5 bytes JMP 000000007fff0240 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00000000777b2100 5 bytes JMP 000000007fff01e0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000777b21c0 1 byte JMP 000000007fff0250 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000777b21c2 3 bytes {JMP 0x883e090} .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000777b21f0 5 bytes JMP 000000007fff03b0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00000000777b2200 5 bytes JMP 000000007fff03c0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00000000777b2230 5 bytes JMP 000000007fff0300 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00000000777b2240 5 bytes JMP 000000007fff0360 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000777b22a0 5 bytes JMP 000000007fff02a0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000777b22f0 5 bytes JMP 000000007fff02c0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00000000777b2330 5 bytes JMP 000000007fff0340 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00000000777b2820 5 bytes JMP 000000007fff0260 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00000000777b2830 5 bytes JMP 000000007fff0270 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000777b2a00 5 bytes JMP 000000007fff01f0 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00000000777b2a10 5 bytes JMP 000000007fff0210 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00000000777b2a80 5 bytes JMP 000000007fff0200 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00000000777b2b00 5 bytes JMP 000000007fff0220 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00000000777b2be0 5 bytes JMP 000000007fff0280 .text C:\Windows\system32\AUDIODG.EXE[4956] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 00000001001c0600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 00000001001c0804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 00000001001c0a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001001c01f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001001c03fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077911465 2 bytes [91, 77] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[1864] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779114bb 2 bytes [91, 77] .text ... * 2 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 00000001000c0600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 00000001000c0804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 00000001000c0a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001000c01f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001000c03fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001000d01f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001000d03fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 00000001000d0804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 00000001000d0600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 00000001000d0a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e85181 5 bytes JMP 0000000100161014 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e85254 5 bytes JMP 0000000100160804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e853d5 5 bytes JMP 0000000100160a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e854c2 5 bytes JMP 0000000100160c0c .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e855e2 5 bytes JMP 0000000100160e10 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e8567c 5 bytes JMP 00000001001601f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e8589f 5 bytes JMP 00000001001603fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e85a22 5 bytes JMP 0000000100160600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077911465 2 bytes [91, 77] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[4560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779114bb 2 bytes [91, 77] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [4560] entry point in ".rdata" section 00000000749671e6 .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007795f9a1 7 bytes {MOV EDX, 0x641a28; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 0000000100650600 .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 0000000100650804 .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007795fbe5 7 bytes {MOV EDX, 0x641a68; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007795fc15 7 bytes {MOV EDX, 0x6419a8; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007795fc2d 7 bytes {MOV EDX, 0x641928; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007795fc45 7 bytes {MOV EDX, 0x641b28; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007795fc75 7 bytes {MOV EDX, 0x641b68; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007795fcf5 7 bytes {MOV EDX, 0x641ae8; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007795fd0d 7 bytes {MOV EDX, 0x641aa8; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007795fd59 7 bytes {MOV EDX, 0x641868; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007795fe51 7 bytes {MOV EDX, 0x6418a8; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 0000000100650a08 .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000779600a9 7 bytes {MOV EDX, 0x641828; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779610b5 7 bytes {MOV EDX, 0x6419e8; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007796112d 7 bytes {MOV EDX, 0x641968; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077961331 7 bytes {MOV EDX, 0x6418e8; JMP RDX} .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001006501f8 .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001006503fc .text C:\Windows\SysWOW64\ntdll.dll[5224] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001011f01f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001011f03fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 00000001011f0804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 00000001011f0600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5992] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 00000001011f0a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5640] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5640] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001010801f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5640] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001010803fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000101080804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000101080600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5640] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000101080a08 .text C:\Windows\system32\taskhost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077783ae0 5 bytes JMP 00000001002c075c .text C:\Windows\system32\taskhost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077787a90 5 bytes JMP 00000001002c03a4 .text C:\Windows\system32\taskhost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000777b1490 5 bytes JMP 00000001002c0b14 .text C:\Windows\system32\taskhost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000777b14f0 5 bytes JMP 00000001002c0ecc .text C:\Windows\system32\taskhost.exe[2572] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000777b1810 5 bytes JMP 00000001002c1284 .text C:\Windows\system32\taskhost.exe[2572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007759ee7d 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007795f9a1 7 bytes {MOV EDX, 0x2b6e28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 00000001002d0600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 00000001002d0804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007795fbe5 7 bytes {MOV EDX, 0x2b6e68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007795fc15 7 bytes {MOV EDX, 0x2b6da8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007795fc2d 7 bytes {MOV EDX, 0x2b6d28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007795fc45 7 bytes {MOV EDX, 0x2b6f28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007795fc75 7 bytes {MOV EDX, 0x2b6f68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007795fcf5 7 bytes {MOV EDX, 0x2b6ee8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007795fd0d 7 bytes {MOV EDX, 0x2b6ea8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007795fd59 7 bytes {MOV EDX, 0x2b6c68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007795fe51 7 bytes {MOV EDX, 0x2b6ca8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 00000001002d0a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000779600a9 7 bytes {MOV EDX, 0x2b6c28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779610b5 7 bytes {MOV EDX, 0x2b6de8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007796112d 7 bytes {MOV EDX, 0x2b6d68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077961331 7 bytes {MOV EDX, 0x2b6ce8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001002d01f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001002d03fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001003201f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001003203fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000100320804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000100320600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000100320a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e85181 5 bytes JMP 0000000100371014 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e85254 5 bytes JMP 0000000100370804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e853d5 5 bytes JMP 0000000100370a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e854c2 5 bytes JMP 0000000100370c0c .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e855e2 5 bytes JMP 0000000100370e10 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e8567c 5 bytes JMP 00000001003701f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e8589f 5 bytes JMP 00000001003703fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e85a22 5 bytes JMP 0000000100370600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077911465 2 bytes [91, 77] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5368] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779114bb 2 bytes [91, 77] .text ... * 2 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007795f9a1 7 bytes {MOV EDX, 0x11aa28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 0000000100130600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 0000000100130804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007795fbe5 7 bytes {MOV EDX, 0x11aa68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007795fc15 7 bytes {MOV EDX, 0x11a9a8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007795fc2d 7 bytes {MOV EDX, 0x11a928; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007795fc45 7 bytes {MOV EDX, 0x11ab28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007795fc75 7 bytes {MOV EDX, 0x11ab68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007795fcf5 7 bytes {MOV EDX, 0x11aae8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007795fd0d 7 bytes {MOV EDX, 0x11aaa8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007795fd59 7 bytes {MOV EDX, 0x11a868; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007795fe51 7 bytes {MOV EDX, 0x11a8a8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 0000000100130a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000779600a9 7 bytes {MOV EDX, 0x11a828; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779610b5 7 bytes {MOV EDX, 0x11a9e8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007796112d 7 bytes {MOV EDX, 0x11a968; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077961331 7 bytes {MOV EDX, 0x11a8e8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001001301f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001001303fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001003701f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001003703fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000100370804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000100370600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000100370a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e85181 5 bytes JMP 0000000100381014 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e85254 5 bytes JMP 0000000100380804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e853d5 5 bytes JMP 0000000100380a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e854c2 5 bytes JMP 0000000100380c0c .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e855e2 5 bytes JMP 0000000100380e10 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e8567c 5 bytes JMP 00000001003801f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e8589f 5 bytes JMP 00000001003803fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e85a22 5 bytes JMP 0000000100380600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077911465 2 bytes [91, 77] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[1096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779114bb 2 bytes [91, 77] .text ... * 2 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007795f9a1 7 bytes {MOV EDX, 0xbf9e28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 0000000100c10600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 0000000100c10804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007795fbe5 7 bytes {MOV EDX, 0xbf9e68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007795fc15 7 bytes {MOV EDX, 0xbf9da8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007795fc2d 7 bytes {MOV EDX, 0xbf9d28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007795fc45 7 bytes {MOV EDX, 0xbf9f28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007795fc75 7 bytes {MOV EDX, 0xbf9f68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007795fcf5 7 bytes {MOV EDX, 0xbf9ee8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007795fd0d 7 bytes {MOV EDX, 0xbf9ea8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007795fd59 7 bytes {MOV EDX, 0xbf9c68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007795fe51 7 bytes {MOV EDX, 0xbf9ca8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 0000000100c10a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000779600a9 7 bytes {MOV EDX, 0xbf9c28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779610b5 7 bytes {MOV EDX, 0xbf9de8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007796112d 7 bytes {MOV EDX, 0xbf9d68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077961331 7 bytes {MOV EDX, 0xbf9ce8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 0000000100c101f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 0000000100c103fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 0000000100d101f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 0000000100d103fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000100d10804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000100d10600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000100d10a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e85181 5 bytes JMP 0000000100d21014 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e85254 5 bytes JMP 0000000100d20804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e853d5 5 bytes JMP 0000000100d20a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e854c2 5 bytes JMP 0000000100d20c0c .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e855e2 5 bytes JMP 0000000100d20e10 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e8567c 5 bytes JMP 0000000100d201f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e8589f 5 bytes JMP 0000000100d203fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e85a22 5 bytes JMP 0000000100d20600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077911465 2 bytes [91, 77] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[3816] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779114bb 2 bytes [91, 77] .text ... * 2 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007795f9a1 7 bytes {MOV EDX, 0xeb7e28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 0000000100ed0600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 0000000100ed0804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007795fbe5 7 bytes {MOV EDX, 0xeb7e68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007795fc15 7 bytes {MOV EDX, 0xeb7da8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007795fc2d 7 bytes {MOV EDX, 0xeb7d28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007795fc45 7 bytes {MOV EDX, 0xeb7f28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007795fc75 7 bytes {MOV EDX, 0xeb7f68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007795fcf5 7 bytes {MOV EDX, 0xeb7ee8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007795fd0d 7 bytes {MOV EDX, 0xeb7ea8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007795fd59 7 bytes {MOV EDX, 0xeb7c68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007795fe51 7 bytes {MOV EDX, 0xeb7ca8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 0000000100ed0a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000779600a9 7 bytes {MOV EDX, 0xeb7c28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779610b5 7 bytes {MOV EDX, 0xeb7de8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007796112d 7 bytes {MOV EDX, 0xeb7d68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077961331 7 bytes {MOV EDX, 0xeb7ce8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 0000000100ed01f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 0000000100ed03fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 0000000100f901f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 0000000100f903fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000100f90804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000100f90600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000100f90a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e85181 5 bytes JMP 0000000100fa1014 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e85254 5 bytes JMP 0000000100fa0804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e853d5 5 bytes JMP 0000000100fa0a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e854c2 5 bytes JMP 0000000100fa0c0c .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e855e2 5 bytes JMP 0000000100fa0e10 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e8567c 5 bytes JMP 0000000100fa01f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e8589f 5 bytes JMP 0000000100fa03fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e85a22 5 bytes JMP 0000000100fa0600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077911465 2 bytes [91, 77] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[440] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779114bb 2 bytes [91, 77] .text ... * 2 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007795f9a1 7 bytes {MOV EDX, 0x235e28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 0000000100250600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 0000000100250804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007795fbe5 7 bytes {MOV EDX, 0x235e68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007795fc15 7 bytes {MOV EDX, 0x235da8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007795fc2d 7 bytes {MOV EDX, 0x235d28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007795fc45 7 bytes {MOV EDX, 0x235f28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007795fc75 7 bytes {MOV EDX, 0x235f68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007795fcf5 7 bytes {MOV EDX, 0x235ee8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007795fd0d 7 bytes {MOV EDX, 0x235ea8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007795fd59 7 bytes {MOV EDX, 0x235c68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007795fe51 7 bytes {MOV EDX, 0x235ca8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 0000000100250a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000779600a9 7 bytes {MOV EDX, 0x235c28; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000779610b5 7 bytes {MOV EDX, 0x235de8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007796112d 7 bytes {MOV EDX, 0x235d68; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077961331 7 bytes {MOV EDX, 0x235ce8; JMP RDX} .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001002501f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001002503fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001003501f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001003503fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 0000000100350804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 0000000100350600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 0000000100350a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075e85181 5 bytes JMP 0000000100361014 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075e85254 5 bytes JMP 0000000100360804 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 0000000075e853d5 5 bytes JMP 0000000100360a08 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 0000000075e854c2 5 bytes JMP 0000000100360c0c .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 0000000075e855e2 5 bytes JMP 0000000100360e10 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 0000000075e8567c 5 bytes JMP 00000001003601f8 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 0000000075e8589f 5 bytes JMP 00000001003603fc .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075e85a22 5 bytes JMP 0000000100360600 .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000077911465 2 bytes [91, 77] .text C:\Users\Kwasek\AppData\Local\Google\Chrome\Application\chrome.exe[5688] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000779114bb 2 bytes [91, 77] .text ... * 2 .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 000000007795fab0 5 bytes JMP 00000001001c0600 .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 000000007795fb48 5 bytes JMP 00000001001c0804 .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077960028 5 bytes JMP 00000001001c0a08 .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007797c43a 5 bytes JMP 00000001001c01f8 .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000779811d7 5 bytes JMP 00000001001c03fc .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000758da2ea 1 byte [62] .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\syswow64\USER32.dll!SetWinEventHook 000000007726ee09 5 bytes JMP 00000001002b01f8 .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000077273982 5 bytes JMP 00000001002b03fc .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000077277603 5 bytes JMP 00000001002b0804 .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 000000007727835c 5 bytes JMP 00000001002b0600 .text C:\Users\Kwasek\Downloads\gxu6wt2x.exe[5772] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 000000007728f52b 5 bytes JMP 00000001002b0a08 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1120:4080] 000007fefa850ea8 Thread C:\Windows\system32\svchost.exe [1120:4092] 000007feebc56ed4 Thread C:\Windows\system32\svchost.exe [1120:2004] 000007feebc56b8c Thread C:\Windows\system32\svchost.exe [1120:3088] 000007fefa849db0 Thread C:\Windows\system32\svchost.exe [1120:3260] 000007fefa851c94 Thread C:\Windows\system32\svchost.exe [1120:1248] 000007fefa84aa10 Thread C:\Windows\system32\svchost.exe [1120:2308] 000007fef630d3c8 Thread C:\Windows\system32\svchost.exe [1120:2312] 000007fef630d3c8 Thread C:\Windows\system32\svchost.exe [1120:3876] 000007fef630d3c8 Thread C:\Windows\system32\svchost.exe [1120:2376] 000007fef630d3c8 Thread C:\Windows\system32\svchost.exe [1216:3220] 000007feedb9bec4 Thread C:\Windows\system32\svchost.exe [1216:3272] 000007feed7c5170 Thread C:\Windows\system32\svchost.exe [1216:1668] 000007feeb7383d8 Thread C:\Windows\system32\svchost.exe [1216:2080] 000007feeb7383d8 Thread C:\Windows\system32\svchost.exe [1216:4100] 000007feeb3c3f1c Thread C:\Windows\system32\svchost.exe [1216:4104] 000007feeb6422b8 Thread C:\Windows\system32\svchost.exe [1216:4108] 000007feeb641a38 Thread C:\Windows\system32\svchost.exe [1216:4112] 000007feeb615388 Thread C:\Windows\system32\svchost.exe [1216:4116] 000007feeb337738 Thread C:\Windows\system32\svchost.exe [1216:4120] 000007feeb601f90 Thread C:\Windows\system32\svchost.exe [1216:3256] 000007feeda25124 Thread C:\Windows\SysWOW64\ntdll.dll [1192:1208] 0000000000672b5a Thread C:\Windows\SysWOW64\ntdll.dll [1192:2140] 0000000064681340 Thread C:\Windows\SysWOW64\ntdll.dll [1192:2144] 0000000065019870 Thread C:\Windows\SysWOW64\ntdll.dll [1192:2160] 0000000000483740 Thread C:\Windows\SysWOW64\ntdll.dll [1192:2164] 00000000004837c0 Thread C:\Windows\SysWOW64\ntdll.dll [1192:2168] 0000000000483d00 Thread C:\Windows\SysWOW64\ntdll.dll [1192:2172] 0000000000483d00 Thread C:\Windows\SysWOW64\ntdll.dll [1192:2176] 0000000000483d00 Thread C:\Windows\SysWOW64\ntdll.dll [1456:1660] 000000000124f0ae Thread C:\Windows\SysWOW64\ntdll.dll [1456:2352] 0000000071907832 Thread C:\Windows\syswow64\svchost.exe [2592:2664] 00000000002b10d0 Thread C:\Windows\System32\spoolsv.exe [2988:3680] 000007feec6f10c8 Thread C:\Windows\System32\spoolsv.exe [2988:3708] 000007feec696144 Thread C:\Windows\System32\spoolsv.exe [2988:3712] 000007feec405fd0 Thread C:\Windows\System32\spoolsv.exe [2988:3716] 000007feec3f3438 Thread C:\Windows\System32\spoolsv.exe [2988:3720] 000007feec4063ec Thread C:\Windows\System32\spoolsv.exe [2988:3748] 000007fef6615e5c Thread C:\Windows\System32\spoolsv.exe [2988:3752] 000007feeca65090 Thread C:\Windows\System32\spoolsv.exe [2988:3832] 000007feecad21e0 Thread C:\Windows\system32\taskhost.exe [3068:2304] 000007fefac12740 Thread C:\Windows\system32\taskhost.exe [3068:2292] 000007fefabb1f38 Thread C:\Windows\system32\taskhost.exe [3068:1564] 000007fef73d1010 Thread C:\Windows\system32\svchost.exe [1712:1664] 000007feeb4f5f1c Thread C:\Windows\system32\svchost.exe [1712:2736] 000007feeb098470 Thread C:\Windows\system32\svchost.exe [1712:1524] 000007feeb0a2418 Thread C:\Windows\system32\svchost.exe [1712:3856] 000007fee85df130 Thread C:\Windows\system32\svchost.exe [1712:3984] 000007fee85d4734 Thread C:\Windows\system32\svchost.exe [1712:3800] 000007fee85d4734 Thread C:\Windows\system32\svchost.exe [1712:1976] 000007feec405fd0 Thread C:\Windows\system32\svchost.exe [1712:3584] 000007feec4063ec Thread C:\Windows\System32\svchost.exe [4512:1408] 000007fee8579688 Thread C:\Windows\SysWOW64\ntdll.dll [5224:1144] 000000000040f860 Thread C:\Windows\SysWOW64\ntdll.dll [5224:5660] 00000000003bf4cf Thread C:\Windows\SysWOW64\ntdll.dll [5224:5664] 00000000003bf4cf Thread C:\Windows\SysWOW64\ntdll.dll [5224:5668] 0000000056ba4db2 Thread C:\Windows\SysWOW64\ntdll.dll [5224:5740] 000000006e94159e Thread C:\Windows\SysWOW64\ntdll.dll [5224:180] 000000006e94159e Thread C:\Windows\SysWOW64\ntdll.dll [5224:1512] 000000006e94159e Thread C:\Windows\SysWOW64\ntdll.dll [5224:1772] 0000000056ba4db2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{4F01F377-8AD7-4AD9-AA70-14012E429551}\Connection@Name 6TO4 Adapter Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{0F0B9EE1-FDD5-4189-83C5-531E25C1D1EF}?\Device\{4FCA9458-BDA7-4434-80A1-D62C2FE93AB7}?\Device\{0B57899A-10C9-4197-85EC-740186A2DF60}?\Device\{5E6BC44C-F067-4828-94F4-F1FEAC15D438}?\Device\{4F01F377-8AD7-4AD9-AA70-14012E429551}??Device\{4F01F377-8AD7-4AD9-AA70-14012E429551}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{0F0B9EE1-FDD5-4189-83C5-531E25C1D1EF}"?"{4FCA9458-BDA7-4434-80A1-D62C2FE93AB7}"?"{0B57899A-10C9-4197-85EC-740186A2DF60}"?"{5E6BC44C-F067-4828-94F4-F1FEAC15D438}"?"{4F01F377-8AD7-4AD9-AA70-14012E429551}"??{4F01F377-8AD7-4AD9-AA70-14012E429551}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{0F0B9EE1-FDD5-4189-83C5-531E25C1D1EF}?\Device\TCPIP6TUNNEL_{4FCA9458-BDA7-4434-80A1-D62C2FE93AB7}?\Device\TCPIP6TUNNEL_{0B57899A-10C9-4197-85EC-740186A2DF60}?\Device\TCPIP6TUNNEL_{5E6BC44C-F067-4828-94F4-F1FEAC15D438}?\Device\TCPIP6TUNNEL_{4F01F377-8AD7-4AD9-AA70-14012E429551}??Device\TCPIP6TUNNEL_{4F01F377-8AD7-4AD9-AA70-14012E429551}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0024214ca124 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0024214ca124@0023f1bbac61 0x77 0x32 0x11 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{87F87D43-9182-4B13-BE44-CD6DEE6C96CB}@NetbiosOptions 2 Reg HKLM\SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces\Tcpip_{87F87D43-9182-4B13-BE44-CD6DEE6C96CB}@NameServerList 10.11.12.13?10.11.12.14? Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Linkage@Bind \Device\{87F87D43-9182-4B13-BE44-CD6DEE6C96CB}?\Device\{F013D997-5248-4520-B6EB-0A7DF522D8B3}?\Device\{34FD576B-3EEB-4E2D-937B-F9AB2A037EEA}?\Device\{9B1AD380-A49D-46CD-9206-772A46470D33}?\Device\{039B3770-B0AA-4565-B505-4BFB9AAEF7F0}?\Device\{5DA27F47-7B89-43F1-A437-2839F8B4EB3B}? Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{87F87D43-9182-4B13-BE44-CD6DEE6C96CB}@DhcpIPAddress 164.127.191.237 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{87F87D43-9182-4B13-BE44-CD6DEE6C96CB}@DhcpSubnetMask 255.255.255.255 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{87F87D43-9182-4B13-BE44-CD6DEE6C96CB}@NameServer 89.108.202.20 89.108.195.20 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0024214ca124 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0024214ca124@0023f1bbac61 0x77 0x32 0x11 0xF4 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CBBBBC92-9FD6-3467-F133-D1205D80A8BA} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CBBBBC92-9FD6-3467-F133-D1205D80A8BA}@iapblkngdeieioekai 0x66 0x61 0x6E 0x63 ... ---- Files - GMER 2.1 ---- File C:\Users\Kwasek\AppData\Roaming\Microsoft\Windows\Recent\04 Me Plus One.lnk 0 bytes File C:\Users\Kwasek\AppData\Roaming\Microsoft\Windows\Recent\Random.lnk 0 bytes ---- EOF - GMER 2.1 ----