GMER 2.1.19081 - http://www.gmer.net Rootkit scan 2013-02-23 21:57:47 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS547564A9E384 rev.JEDOA50B 596,17GB Running: n599uqkw.exe; Driver: C:\Users\user\AppData\Local\Temp\awedruog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0xffffffff893cee90} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffff893ce890} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffff893ce590} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffff893ce090} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0xffffffff893cdb90} .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[452] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\wininit.exe[516] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\wininit.exe[516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000149f80440 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000149f80430 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000149f80450 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0xffffffffd322ee90} .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000149f803b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000149f80320 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000149f80380 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000149f802e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000149f80410 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000149f802d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000149f80310 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000149f80390 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000149f803c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000149f80230 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffffd322e890} .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000149f80460 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000149f80370 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000149f802f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000149f80350 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000149f80290 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000149f802b0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000149f803a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000149f80330 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffffd322e590} .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000149f803e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000149f80240 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000149f801e0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000149f80250 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffffd322e090} .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000149f80470 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000149f80480 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000149f80300 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000149f80360 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000149f802a0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000149f802c0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000149f80340 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000149f80420 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000149f80260 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000149f80270 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000149f803d0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0xffffffffd322db90} .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000149f801f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000149f80210 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000149f80200 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000149f803f0 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000149f80400 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000149f80220 .text C:\Windows\system32\csrss.exe[544] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000149f80280 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\services.exe[584] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\services.exe[584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\lsass.exe[604] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0xffffffff8931ee90} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffff8931e890} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffff8931e590} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffff8931e090} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0xffffffff8931db90} .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\lsm.exe[612] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[716] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[716] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\nvvsvc.exe[792] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\winlogon.exe[816] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[876] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\System32\svchost.exe[976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\System32\svchost.exe[976] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000100070440 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000100070430 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000100070450 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0xffffffff8931ee90} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000001000703b0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000100070320 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000100070380 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 00000001000702e0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000100070410 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 00000001000702d0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000100070310 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000100070390 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 00000001000703c0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000100070230 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffff8931e890} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000100070460 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000100070370 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 00000001000702f0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000100070350 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000100070290 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 00000001000702b0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 00000001000703a0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000100070330 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffff8931e590} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 00000001000703e0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000100070240 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 00000001000701e0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000100070250 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffff8931e090} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000100070470 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000100070480 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000100070300 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000100070360 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 00000001000702a0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 00000001000702c0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000100070340 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000100070420 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000100070260 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000100070270 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 00000001000703d0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0xffffffff8931db90} .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 00000001000701f0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000100070210 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000100070200 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000100070400 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000100070220 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000100070280 .text C:\Windows\System32\svchost.exe[1008] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[124] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[124] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[892] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[892] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[1092] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\WLANExt.exe[1180] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\nvvsvc.exe[1496] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\System32\spoolsv.exe[1572] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\svchost.exe[1600] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1716] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[1760] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[1796] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 0000000076eb03b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe[1840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text c:\Program Files (x86)\Common Files\Protexis\License Service\PsiService_2.exe[2032] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[1044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Windows\system32\svchost.exe[3056] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\svchost.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\svchost.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\svchost.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\svchost.exe[3056] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\svchost.exe[3056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\svchost.exe[3056] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\svchost.exe[3056] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100241014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100240c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100240e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1360] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100250a08 .text C:\Windows\System32\svchost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\System32\svchost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\System32\svchost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\System32\svchost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\System32\svchost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\System32\svchost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\System32\svchost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\System32\svchost.exe[2556] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010046075c .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001004603a4 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100460b14 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100460ecc .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0xffffffff8931ee90} .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010046163c .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100461284 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0xffffffff8931e890} .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0xffffffff8931e590} .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0xffffffff8931e090} .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0xffffffff8931db90} .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\SearchIndexer.exe[2712] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 00000001002c1014 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 00000001002c0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 00000001002c0a08 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 00000001002c0c0c .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 00000001002c0e10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001002c01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001002c03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 00000001002c0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001002d01f8 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001002d03fc .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 00000001002d0804 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 00000001002d0600 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[692] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 00000001002d0a08 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010010075c .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001001003a4 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100100b14 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100100ecc .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010010163c .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100101284 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\taskhost.exe[728] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 00000001001f075c .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001001f03a4 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 00000001001f0b14 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 00000001001f0ecc .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000001001f163c .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 00000001001f1284 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\Dwm.exe[1464] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010019075c .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001001903a4 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100190b14 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100190ecc .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010019163c .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100191284 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\Explorer.EXE[3008] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\Explorer.EXE[3008] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\CONEXANT\cAudioFilterAgent\cAudioFilterAgent64.exe[2768] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010052075c .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001005203a4 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100520b14 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100520ecc .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010052163c .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100521284 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[2952] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010043075c .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001004303a4 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100430b14 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100430ecc .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010043163c .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100431284 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files (x86)\Bluetooth Suite\AthBtTray.exe[2684] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010034075c .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001003403a4 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100340b14 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100340ecc .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010034163c .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100341284 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\Apoint\Apoint.exe[3148] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3260] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 00000001001f1014 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 00000001001f0804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 00000001001f0a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 00000001001f0c0c .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 00000001001f0e10 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001001f01f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001001f03fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 00000001001f0600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001002001f8 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001002003fc .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100200804 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100200600 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100200a08 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[3272] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 3 bytes JMP 0000000100261014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity + 4 0000000076555185 1 byte [89] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100260c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100260e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001002701f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001002703fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100270804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100270600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[3392] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100270a08 .text C:\Program Files\Apoint\ApMsgFwd.exe[3424] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Program Files\Apoint\ApMsgFwd.exe[3424] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\Apoint\ApMsgFwd.exe[3424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\Apoint\ApMsgFwd.exe[3424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\Apoint\ApMsgFwd.exe[3424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\Apoint\ApMsgFwd.exe[3424] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\Apoint\ApMsgFwd.exe[3424] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\Apoint\ApMsgFwd.exe[3424] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\Apoint\ApMsgFwd.exe[3424] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010051075c .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001005103a4 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100510b14 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100510ecc .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010051163c .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100511284 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\Apoint\Apntex.exe[3640] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010012075c .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001001203a4 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100120b14 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100120ecc .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010012163c .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100121284 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\conhost.exe[3672] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100030600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100030804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100030c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100030a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001000301f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001000303fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001001001f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001001003fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100100804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100100600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100100a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100111014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100110804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100110a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100110c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100110e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001001101f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001001103fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100110600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3756] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [3756] entry point in ".rdata" section 0000000064c371e6 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x680e28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100780600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100780804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x680e68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x680da8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x680d28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x680f28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x680f68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100780c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x680ee8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x680ea8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x680c68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x680ca8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100780a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x680c28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x680de8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x680d68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x680ce8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001007801f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001007803fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001007901f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001007903fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100790804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100790600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100790a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 00000001007a1014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 00000001007a0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 00000001007a0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 00000001007a0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 00000001007a0e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001007a01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001007a03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 00000001007a0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3976] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0xf41a28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000101010600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000101010804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0xf41a68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0xf419a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0xf41928; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0xf41b28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0xf41b68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000101010c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0xf41ae8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0xf41aa8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0xf41868; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0xf418a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000101010a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0xf41828; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0xf419e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0xf41968; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0xf418e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001010101f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001010103fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001010201f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001010203fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000101020804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000101020600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000101020a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000101031014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000101030804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000101030a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000101030c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000101030e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001010301f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001010303fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000101030600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0xf42a28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100fa0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100fa0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0xf42a68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0xf429a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0xf42928; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0xf42b28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0xf42b68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100fa0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0xf42ae8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0xf42aa8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0xf42868; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0xf428a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100fa0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0xf42828; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0xf429e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0xf42968; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0xf428e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 0000000100fa01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 0000000100fa03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 0000000100fb01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 0000000100fb03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100fb0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100fb0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100fb0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000101041014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000101040804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000101040a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000101040c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000101040e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001010401f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001010403fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000101040600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1292] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x3a7a28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100470600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100470804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x3a7a68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x3a79a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x3a7928; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x3a7b28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x3a7b68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100470c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x3a7ae8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x3a7aa8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x3a7868; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x3a78a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100470a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x3a7828; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x3a79e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x3a7968; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x3a78e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001004701f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001004703fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001004801f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001004803fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100480804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100480600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100480a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100491014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100490804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100490a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100490c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100490e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001004901f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001004903fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100490600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3360] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0xcec628; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100dc0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100dc0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0xcec668; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0xcec5a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0xcec528; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0xcec728; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0xcec768; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100dc0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0xcec6e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0xcec6a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0xcec468; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0xcec4a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100dc0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0xcec428; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0xcec5e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0xcec568; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0xcec4e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 0000000100dc01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 0000000100dc03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 0000000100dd01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 0000000100dd03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100dd0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100dd0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100dd0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100de1014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100de0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100de0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100de0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100de0e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 0000000100de01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 0000000100de03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100de0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0xa15628; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100ae0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100ae0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0xa15668; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0xa155a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0xa15528; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0xa15728; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0xa15768; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100ae0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0xa156e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0xa156a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0xa15468; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0xa154a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100ae0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0xa15428; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0xa155e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0xa15568; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0xa154e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 0000000100ae01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 0000000100ae03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 0000000100af01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 0000000100af03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100af0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100af0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100af0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100b01014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100b00804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100b00a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100b00c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100b00e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 0000000100b001f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 0000000100b003fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100b00600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3496] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x38ea28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100460600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100460804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x38ea68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x38e9a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x38e928; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x38eb28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x38eb68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100460c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x38eae8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x38eaa8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x38e868; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x38e8a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100460a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x38e828; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x38e9e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x38e968; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x38e8e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001004601f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001004603fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001004701f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001004703fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100470804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100470600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100470a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100481014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100480804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100480a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100480c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100480e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001004801f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001004803fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100480600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010016075c .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001001603a4 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100160b14 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100160ecc .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010016163c .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100161284 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\taskeng.exe[4168] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files\Sony\VAIO Update Common\VUAgent.exe[4264] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Program Files\Sony\VAIO Update Common\VUAgent.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Program Files\Sony\VAIO Update Common\VUAgent.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Program Files\Sony\VAIO Update Common\VUAgent.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Program Files\Sony\VAIO Update Common\VUAgent.exe[4264] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Program Files\Sony\VAIO Update Common\VUAgent.exe[4264] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Program Files\Sony\VAIO Update Common\VUAgent.exe[4264] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Program Files\Sony\VAIO Update Common\VUAgent.exe[4264] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0xc72628; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100d50600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100d50804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0xc72668; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0xc725a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0xc72528; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0xc72728; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0xc72768; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100d50c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0xc726e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0xc726a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0xc72468; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0xc724a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100d50a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0xc72428; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0xc725e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0xc72568; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0xc724e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 0000000100d501f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 0000000100d503fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 0000000100d601f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 0000000100d603fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100d60804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100d60600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100d60a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100d71014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100d70804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100d70a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100d70c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100d70e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 0000000100d701f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 0000000100d703fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100d70600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1632] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0xf81228; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000101050600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000101050804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0xf81268; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0xf811a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0xf81128; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0xf81328; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0xf81368; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000101050c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0xf812e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0xf812a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0xf81068; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0xf810a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000101050a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0xf81028; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0xf811e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0xf81168; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0xf810e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001010501f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001010503fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001010601f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001010603fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000101060804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000101060600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000101060a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000101071014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000101070804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000101070a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000101070c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000101070e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001010701f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001010703fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000101070600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x1ce228; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 00000001002d0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 00000001002d0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x1ce268; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x1ce1a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x1ce128; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x1ce328; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x1ce368; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 00000001002d0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x1ce2e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x1ce2a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x1ce068; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x1ce0a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 00000001002d0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x1ce028; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x1ce1e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x1ce168; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x1ce0e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001002d01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001002d03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001002e01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001002e03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 00000001002e0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 00000001002e0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 00000001002e0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 00000001002f1014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 00000001002f0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 00000001002f0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 00000001002f0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 00000001002f0e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001002f01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001002f03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 00000001002f0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!WideCharToMultiByte 00000000748f170d 5 bytes JMP 0000000110002e40 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!MultiByteToWideChar 00000000748f192e 5 bytes JMP 0000000110002dd0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!FindClose 00000000748f442a 5 bytes JMP 00000001100021d0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!GetCommandLineA + 7 00000000748f5190 6 bytes JMP 0000000110001000 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!CreateFileA 00000000748f53ae 5 bytes JMP 00000001100019c0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!GetFileAttributesA 00000000748f53fc 5 bytes JMP 0000000110001a60 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!DeleteFileA 00000000748f542c 5 bytes JMP 0000000110001c10 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!GetFullPathNameA 00000000748fe2a9 5 bytes JMP 0000000110001dc0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!FindFirstFileA 00000000748fe2b6 5 bytes JMP 0000000110002110 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!SetCurrentDirectoryA 000000007490181c 5 bytes JMP 0000000110001b30 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!CopyFileA 00000000749158cd 5 bytes JMP 0000000110001b80 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!GetCurrentDirectoryA 000000007491d4e6 5 bytes JMP 0000000110001ac0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!FindNextFileA 000000007491d52e 5 bytes JMP 0000000110002190 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\KERNEL32.dll!MoveFileA 000000007496d929 5 bytes JMP 0000000110001c60 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 00000001002c1014 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 00000001002c0804 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 00000001002c0a08 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 00000001002c0c0c .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 00000001002c0e10 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001002c01f8 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001002c03fc .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 00000001002c0600 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\GDI32.dll!TextOutA 0000000074cfeda3 5 bytes JMP 0000000110002a90 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074d9d22e 5 bytes JMP 0000000110001300 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!LoadStringA 0000000074d9db21 5 bytes JMP 0000000110002d00 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001002d01f8 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!GetWindowTextA 0000000074da0029 7 bytes JMP 0000000110002a10 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001002d03fc .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!SendMessageA 0000000074da612e 5 bytes JMP 0000000110001110 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 00000001002d0804 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!SetWindowTextA 0000000074da7aee 5 bytes JMP 00000001100029b0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 00000001002d0600 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!DrawTextA 0000000074daaea1 5 bytes JMP 0000000110002af0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!SetDlgItemTextA 0000000074dac4d6 5 bytes JMP 0000000110002b50 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 00000001002d0a08 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000074ddcb0c 5 bytes JMP 00000001100013a0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!AppendMenuA 0000000074df67fb 5 bytes JMP 0000000110002d70 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\USER32.dll!GetDlgItemTextA 0000000074df6b36 5 bytes JMP 0000000110002c80 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\comdlg32.dll!GetOpenFileNameA 00000000750ca2a9 5 bytes JMP 00000001100023b0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\comdlg32.dll!GetSaveFileNameA 00000000750ca353 5 bytes JMP 00000001100026c0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\SHELL32.dll!SHGetPathFromIDList 0000000075651c64 5 bytes JMP 0000000110001f50 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\SHELL32.dll!DragQueryFile 00000000757454f8 3 bytes JMP 00000001100010a0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\SHELL32.dll!DragQueryFile + 4 00000000757454fc 1 byte [9A] .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\SHELL32.dll!SHBrowseForFolder 000000007577e07e 5 bytes JMP 0000000110001e60 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\SHELL32.dll!SHFileOperation 000000007578b241 5 bytes JMP 0000000110001cf0 .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Program Files (x86)\IrfanView\i_view32.exe[4224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x67d228; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100710600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100710804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x67d268; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x67d1a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x67d128; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x67d328; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x67d368; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100710c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x67d2e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x67d2a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x67d068; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x67d0a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100710a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x67d028; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x67d1e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x67d168; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x67d0e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001007101f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001007103fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001007201f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001007203fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100720804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100720600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100720a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100731014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100730804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100730a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100730c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100730e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001007301f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001007303fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100730600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5100] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x463228; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100530600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100530804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x463268; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x4631a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x463128; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x463328; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x463368; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100530c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x4632e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x4632a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x463068; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x4630a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100530a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x463028; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x4631e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x463168; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x4630e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001005301f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001005303fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001005401f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001005403fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100540804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100540600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100540a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100551014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100550804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100550a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100550c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100550e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001005501f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001005503fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100550600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[2512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0xa52228; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100cb0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100cb0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0xa52268; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0xa521a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0xa52128; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0xa52328; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0xa52368; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100cb0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0xa522e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0xa522a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0xa52068; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0xa520a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100cb0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0xa52028; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0xa521e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0xa52168; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0xa520e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 0000000100cb01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 0000000100cb03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 0000000100cc01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 0000000100cc03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100cc0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100cc0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100cc0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100cd1014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100cd0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100cd0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100cd0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100cd0e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 0000000100cd01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 0000000100cd03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100cd0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4512] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x27d628; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100340600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100340804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x27d668; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x27d5a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x27d528; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x27d728; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x27d768; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100340c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x27d6e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x27d6a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x27d468; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x27d4a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100340a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x27d428; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x27d5e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x27d568; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x27d4e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001003401f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001003403fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001003501f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001003503fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100350804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100350600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100350a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100361014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100360804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100360a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100360c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100360e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001003601f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001003603fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100360600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4252] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x759228; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 00000001007c0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 00000001007c0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x759268; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x7591a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x759128; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x759328; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x759368; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 00000001007c0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x7592e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x7592a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x759068; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x7590a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 00000001007c0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x759028; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x7591e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x759168; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x7590e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001007c01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001007c03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001007d01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001007d03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 00000001007d0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 00000001007d0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 00000001007d0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100821014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100820804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100820a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100820c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100820e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001008201f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001008203fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100820600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[1736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x84c228; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100960600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100960804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x84c268; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x84c1a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x84c128; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x84c328; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x84c368; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100960c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x84c2e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x84c2a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x84c068; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x84c0a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100960a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x84c028; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x84c1e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x84c168; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x84c0e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001009601f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001009603fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001009701f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001009703fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100970804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100970600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100970a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100981014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100980804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100980a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100980c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100980e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001009801f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001009803fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100980600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 3 bytes [BA, 28, 56] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 9 0000000076eff995 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100650600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100650804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 3 bytes [BA, 68, 56] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 9 0000000076effbd9 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 3 bytes [BA, A8, 55] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 9 0000000076effc09 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 3 bytes [BA, 28, 55] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 9 0000000076effc21 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 3 bytes [BA, 28, 57] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 9 0000000076effc39 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 3 bytes [BA, 68, 57] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 9 0000000076effc69 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100650c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 3 bytes [BA, E8, 56] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 9 0000000076effce9 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 3 bytes [BA, A8, 56] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 9 0000000076effd01 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 3 bytes [BA, 68, 54] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 9 0000000076effd4d 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 3 bytes [BA, A8, 54] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 9 0000000076effe45 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100650a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 3 bytes [BA, 28, 54] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 9 0000000076f0009d 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 3 bytes [BA, E8, 55] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 9 0000000076f010a9 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 3 bytes [BA, 68, 55] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 9 0000000076f01121 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 3 bytes [BA, E8, 54] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 9 0000000076f01325 3 bytes [00, FF, E2] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001006501f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001006503fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001006601f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001006603fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 3 bytes JMP 0000000100660804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW + 4 0000000074da7607 1 byte [8B] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 3 bytes JMP 0000000100660600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA + 4 0000000074da8360 1 byte [8B] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100660a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100671014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100670804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100670a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100670c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100670e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001006701f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001006703fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100670600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4484] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x9d5228; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100ac0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100ac0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x9d5268; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x9d51a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x9d5128; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x9d5328; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x9d5368; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100ac0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x9d52e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x9d52a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x9d5068; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x9d50a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100ac0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x9d5028; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x9d51e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x9d5168; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x9d50e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 0000000100ac01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 0000000100ac03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 0000000100b101f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 0000000100b103fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100b10804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100b10600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100b10a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100b21014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100b20804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100b20a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100b20c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100b20e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 0000000100b201f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 0000000100b203fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100b20600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4196] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0xf4a628; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000101010600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000101010804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0xf4a668; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0xf4a5a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0xf4a528; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0xf4a728; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0xf4a768; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000101010c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0xf4a6e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0xf4a6a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0xf4a468; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0xf4a4a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000101010a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0xf4a428; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0xf4a5e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0xf4a568; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0xf4a4e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001010101f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001010103fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001010201f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001010203fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000101020804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000101020600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000101020a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000101031014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000101030804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000101030a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000101030c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000101030e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001010301f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001010303fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000101030600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4576] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x834628; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 00000001008a0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 00000001008a0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x834668; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x8345a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x834528; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x834728; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x834768; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 00000001008a0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x8346e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x8346a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x834468; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x8344a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 00000001008a0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x834428; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x8345e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x834568; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x8344e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001008a01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001008a03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001009301f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001009303fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100930804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100930600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100930a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100941014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100940804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100940a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100940c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100940e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001009401f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001009403fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100940600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3116] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0xf77a28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000101030600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000101030804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0xf77a68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0xf779a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0xf77928; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0xf77b28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0xf77b68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000101030c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0xf77ae8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0xf77aa8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0xf77868; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0xf778a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000101030a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0xf77828; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0xf779e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0xf77968; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0xf778e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001010301f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001010303fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001010401f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001010403fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000101040804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000101040600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000101040a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000101051014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000101050804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000101050a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000101050c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000101050e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001010501f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001010503fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000101050600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[5080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 000000010018075c .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001001803a4 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 0000000100180b14 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 0000000100180ecc .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 000000010018163c .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 0000000100181284 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\NOTEPAD.EXE[5004] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000076d23ae0 5 bytes JMP 00000001001c075c .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000076d27a90 5 bytes JMP 00000001001c03a4 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 0000000076d513c0 5 bytes JMP 0000000076eb0440 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000076d51410 5 bytes JMP 0000000076eb0430 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000076d51490 5 bytes JMP 00000001001c0b14 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 0000000076d514f0 5 bytes JMP 00000001001c0ecc .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 0000000076d515c0 1 byte JMP 0000000076eb0450 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 0000000076d515c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 0000000076d515d0 5 bytes JMP 00000001001c163c .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000076d51680 5 bytes JMP 0000000076eb0320 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000076d516b0 5 bytes JMP 0000000076eb0380 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000076d51710 5 bytes JMP 0000000076eb02e0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000076d51760 5 bytes JMP 0000000076eb0410 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000076d51790 5 bytes JMP 0000000076eb02d0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 0000000076d517b0 5 bytes JMP 0000000076eb0310 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 0000000076d517f0 5 bytes JMP 0000000076eb0390 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000076d51810 5 bytes JMP 00000001001c1284 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000076d51840 5 bytes JMP 0000000076eb03c0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 0000000076d519a0 1 byte JMP 0000000076eb0230 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 0000000076d519a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000076d51b60 5 bytes JMP 0000000076eb0460 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000076d51b90 5 bytes JMP 0000000076eb0370 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000076d51c70 5 bytes JMP 0000000076eb02f0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000076d51c80 5 bytes JMP 0000000076eb0350 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000076d51ce0 5 bytes JMP 0000000076eb0290 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000076d51d70 5 bytes JMP 0000000076eb02b0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000076d51d90 5 bytes JMP 0000000076eb03a0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000076d51da0 1 byte JMP 0000000076eb0330 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000076d51da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000076d51e10 5 bytes JMP 0000000076eb03e0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000076d51e40 5 bytes JMP 0000000076eb0240 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000076d52100 5 bytes JMP 0000000076eb01e0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 0000000076d521c0 1 byte JMP 0000000076eb0250 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 0000000076d521c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 0000000076d521f0 5 bytes JMP 0000000076eb0470 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000076d52200 5 bytes JMP 0000000076eb0480 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000076d52230 5 bytes JMP 0000000076eb0300 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000076d52240 5 bytes JMP 0000000076eb0360 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000076d522a0 5 bytes JMP 0000000076eb02a0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000076d522f0 5 bytes JMP 0000000076eb02c0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000076d52330 5 bytes JMP 0000000076eb0340 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000076d52620 5 bytes JMP 0000000076eb0420 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000076d52820 5 bytes JMP 0000000076eb0260 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000076d52830 5 bytes JMP 0000000076eb0270 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000076d52840 1 byte JMP 0000000076eb03d0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000076d52842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000076d52a00 5 bytes JMP 0000000076eb01f0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000076d52a10 5 bytes JMP 0000000076eb0210 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000076d52a80 5 bytes JMP 0000000076eb0200 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000076d52ae0 5 bytes JMP 0000000076eb03f0 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000076d52af0 5 bytes JMP 0000000076eb0400 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000076d52b00 5 bytes JMP 0000000076eb0220 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000076d52be0 5 bytes JMP 0000000076eb0280 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076c3eecd 1 byte [62] .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefdaa6e00 5 bytes JMP 000007ff7dac1dac .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefdaa6f2c 5 bytes JMP 000007ff7dac0ecc .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefdaa7220 5 bytes JMP 000007ff7dac1284 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefdaa739c 5 bytes JMP 000007ff7dac163c .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefdaa7538 5 bytes JMP 000007ff7dac19f4 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefdaa75e8 5 bytes JMP 000007ff7dac03a4 .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefdaa790c 5 bytes JMP 000007ff7dac075c .text C:\Windows\system32\NOTEPAD.EXE[2976] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefdaa7ab4 5 bytes JMP 000007ff7dac0b14 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100141014 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100140c0c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100140e10 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074da2da4 5 bytes JMP 000000016b849ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100150804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000074dbcbf3 5 bytes JMP 000000016b998f36 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dbcfca 5 bytes JMP 000000016b7a1893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100150a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000074ddcb0c 5 bytes JMP 000000016b998ed1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000074ddce64 5 bytes JMP 000000016b998f9b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000074defbd1 5 bytes JMP 000000016b998e58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000074defc9d 5 bytes JMP 000000016b998ddf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074defcd6 5 bytes JMP 000000016b998d7b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074defcfa 5 bytes JMP 000000016b998d17 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000750093ec 5 bytes JMP 000000016b999150 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007325388e 5 bytes JMP 000000016b999000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000732f7922 5 bytes JMP 000000016b9990a8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1040] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000750a2694 5 bytes JMP 000000016b999348 ? C:\Windows\system32\mssprxy.dll [1040] entry point in ".rdata" section 0000000064c371e6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_W 0000000076f125fd 6 bytes JMP 000000016b868054 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\ntdll.dll!NtdllDefWindowProc_A 0000000076f22a63 6 bytes JMP 000000016b80980d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\KERNEL32.dll!CreateThread 00000000748f34b5 5 bytes JMP 000000016b8075e3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100141014 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100140804 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100140a08 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100140c0c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100140e10 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001001401f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001001403fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100140600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000074d98a29 5 bytes JMP 000000016b8703df .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!CreateWindowExA 0000000074d9d22e 5 bytes JMP 000000016b813643 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001001501f8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!GetKeyState 0000000074da291f 5 bytes JMP 000000016b7eddb3 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!EnableWindow 0000000074da2da4 5 bytes JMP 000000016b849ebc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001001503fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000074da6285 5 bytes JMP 000000016b867ff1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 000000016b8425b4 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100150600 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamA 0000000074dab029 5 bytes JMP 000000016b9992d8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!CreateDialogIndirectParamW 0000000074dac63e 5 bytes JMP 000000016b999310 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!IsDialogMessage 0000000074db50ed 5 bytes JMP 000000016b9999d2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!CreateDialogParamA 0000000074db5246 5 bytes JMP 000000016b999268 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!EndDialog 0000000074dbb99c 5 bytes JMP 000000016b999ca6 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!IsDialogMessageW 0000000074dbc701 5 bytes JMP 000000016b9999fa .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000074dbcbf3 5 bytes JMP 000000016b998f36 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000074dbcfca 5 bytes JMP 000000016b7a1893 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!GetAsyncKeyState 0000000074dbeb96 5 bytes JMP 000000016b7ededd .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 000000016b88ed14 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!SendInput 0000000074dbff4a 5 bytes JMP 000000016b99a269 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!CreateDialogParamW 0000000074dc10dc 5 bytes JMP 000000016b9992a0 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!SetKeyboardState 0000000074dc14b2 5 bytes JMP 000000016b99a2c1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!SetCursorPos 0000000074dd9cfd 5 bytes JMP 000000016b99a342 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000074ddcb0c 5 bytes JMP 000000016b998ed1 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000074ddce64 5 bytes JMP 000000016b998f9b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000074defbd1 5 bytes JMP 000000016b998e58 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000074defc9d 5 bytes JMP 000000016b998ddf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000074defcd6 5 bytes JMP 000000016b998d7b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000074defcfa 5 bytes JMP 000000016b998d17 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\USER32.dll!keybd_event 0000000074df02bf 5 bytes JMP 000000016b99a226 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076236143 5 bytes JMP 000000016b999704 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000074fa3e59 5 bytes JMP 000000016b9997fc .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000074fa3eae 5 bytes JMP 000000016b99987a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000074fa4731 5 bytes JMP 000000016b99976e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000074fa5dee 5 bytes JMP 000000016b99981a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 00000000750093ec 5 bytes JMP 000000016b999150 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheetW 000000007325388e 5 bytes JMP 000000016b999000 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll!PropertySheet 00000000732f7922 5 bytes JMP 000000016b9990a8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\comdlg32.dll!PrintDlgW 00000000750933a3 5 bytes JMP 000000016b9993ec .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000750a2694 5 bytes JMP 000000016b999348 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[4148] C:\Windows\syswow64\comdlg32.dll!PrintDlgA 00000000750ae8ff 5 bytes JMP 000000016b9994b8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001001101f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001001103fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100110804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100110600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100110a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100121014 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100120804 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100120a08 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100120c0c .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100120e10 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001001201f8 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001001203fc .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100120600 .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_168_ActiveX.exe[1528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x1f0a28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 00000001003d0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 00000001003d0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x1f0a68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x1f09a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x1f0928; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x1f0b28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x1f0b68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 00000001003d0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x1f0ae8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x1f0aa8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x1f0868; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x1f08a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 00000001003d0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x1f0828; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x1f09e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x1f0968; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x1f08e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001003d01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001003d03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001003e01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001003e03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 00000001003e0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 00000001003e0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 00000001003e0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 00000001003f1014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 00000001003f0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 00000001003f0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 00000001003f0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 00000001003f0e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001003f01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001003f03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 00000001003f0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[4600] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 0000000076eff991 7 bytes {MOV EDX, 0x21ba28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100280600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100280804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 0000000076effbd5 7 bytes {MOV EDX, 0x21ba68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 0000000076effc05 7 bytes {MOV EDX, 0x21b9a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 0000000076effc1d 7 bytes {MOV EDX, 0x21b928; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 0000000076effc35 7 bytes {MOV EDX, 0x21bb28; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 0000000076effc65 7 bytes {MOV EDX, 0x21bb68; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100280c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 0000000076effce5 7 bytes {MOV EDX, 0x21bae8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 0000000076effcfd 7 bytes {MOV EDX, 0x21baa8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 0000000076effd49 7 bytes {MOV EDX, 0x21b868; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 0000000076effe41 7 bytes {MOV EDX, 0x21b8a8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100280a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000076f00099 7 bytes {MOV EDX, 0x21b828; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 0000000076f010a5 7 bytes {MOV EDX, 0x21b9e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 0000000076f0111d 7 bytes {MOV EDX, 0x21b968; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000076f01321 7 bytes {MOV EDX, 0x21b8e8; JMP RDX} .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001002801f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001002803fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001002901f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001002903fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100290804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100290600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100290a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 00000001002a1014 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 00000001002a0804 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 00000001002a0a08 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 00000001002a0c0c .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 00000001002a0e10 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001002a01f8 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001002a03fc .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 00000001002a0600 .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000074d71465 2 bytes [D7, 74] .text C:\Users\user\AppData\Local\Google\Chrome\Application\chrome.exe[3916] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000074d714bb 2 bytes [D7, 74] .text ... * 2 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 0000000076effaa0 5 bytes JMP 0000000100030600 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 0000000076effb38 5 bytes JMP 0000000100030804 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 0000000076effc90 5 bytes JMP 0000000100030c0c .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000076f00018 5 bytes JMP 0000000100030a08 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 0000000076f1c45a 5 bytes JMP 00000001000301f8 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000076f21217 5 bytes JMP 00000001000303fc .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007491a30a 1 byte [62] .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000076555181 5 bytes JMP 0000000100241014 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000076555254 5 bytes JMP 0000000100240804 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000765553d5 5 bytes JMP 0000000100240a08 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000765554c2 5 bytes JMP 0000000100240c0c .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000765555e2 5 bytes JMP 0000000100240e10 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007655567c 5 bytes JMP 00000001002401f8 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007655589f 5 bytes JMP 00000001002403fc .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000076555a22 5 bytes JMP 0000000100240600 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000074d9ee09 5 bytes JMP 00000001002501f8 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000074da3982 5 bytes JMP 00000001002503fc .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000074da7603 5 bytes JMP 0000000100250804 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000074da835c 5 bytes JMP 0000000100250600 .text C:\Users\user\Downloads\OTL\n599uqkw.exe[4916] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000074dbf52b 5 bytes JMP 0000000100250a08 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\9439e5b1ce3a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@f48e09b26704 0x5C 0x3F 0x73 0x35 ... Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@b05ce5a1ab70 0xA9 0xA2 0xDA 0x19 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e5b1ce3a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@f48e09b26704 0x5C 0x3F 0x73 0x35 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@b05ce5a1ab70 0xA9 0xA2 0xDA 0x19 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\9439e5b1ce3a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@f48e09b26704 0x5C 0x3F 0x73 0x35 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@b05ce5a1ab70 0xA9 0xA2 0xDA 0x19 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5b1ce3a Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@f48e09b26704 0x5C 0x3F 0x73 0x35 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@b05ce5a1ab70 0xA9 0xA2 0xDA 0x19 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@9c1874468702 0x89 0x89 0xDF 0x4F ... Reg HKLM\SYSTEM\ControlSet005\services\BTHPORT\Parameters\Keys\9439e5b1ce3a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@f48e09b26704 0x5C 0x3F 0x73 0x35 ... Reg HKLM\SYSTEM\ControlSet005\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@b05ce5a1ab70 0xA9 0xA2 0xDA 0x19 ... Reg HKLM\SYSTEM\ControlSet005\services\BTHPORT\Parameters\Keys\9439e5b1ce3a@9c1874468702 0x89 0x89 0xDF 0x4F ... ---- EOF - GMER 2.1 ----