GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-01-30 13:05:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502IJ rev.1AA01112 465,76GB Running: hnlmz15i.exe; Driver: C:\Users\Venon\AppData\Local\Temp\uwddikod.sys ---- User code sections - GMER 2.0 ---- .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000100120440 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000100120430 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000100120450 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0xffffffff88eeee90} .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000001001203b0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000100120320 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000100120380 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000001001202e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000100120410 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000001001202d0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000100120310 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000100120390 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000001001203c0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000100120230 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0xffffffff88eee890} .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000100120460 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000100120370 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000001001202f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000100120350 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000100120290 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000001001202b0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000001001203a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000100120330 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0xffffffff88eee590} .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000001001203e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000100120240 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000001001201e0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000100120250 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0xffffffff88eee090} .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000100120470 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000100120480 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000100120300 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000100120360 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000001001202a0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000001001202c0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000100120340 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000100120420 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000100120260 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000100120270 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000001001203d0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0xffffffff88eedb90} .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000001001201f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000100120210 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000100120200 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000001001203f0 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000100120400 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000100120220 .text C:\Windows\system32\csrss.exe[472] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000100120280 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\wininit.exe[536] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\wininit.exe[536] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 000000014a4c0440 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 000000014a4c0430 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 000000014a4c0450 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0xffffffffd328ee90} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 000000014a4c03b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 000000014a4c0320 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 000000014a4c0380 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 000000014a4c02e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 000000014a4c0410 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 000000014a4c02d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 000000014a4c0310 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 000000014a4c0390 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 000000014a4c03c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 000000014a4c0230 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0xffffffffd328e890} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 000000014a4c0460 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 000000014a4c0370 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 000000014a4c02f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 000000014a4c0350 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 000000014a4c0290 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 000000014a4c02b0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 000000014a4c03a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 000000014a4c0330 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0xffffffffd328e590} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 000000014a4c03e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 000000014a4c0240 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 000000014a4c01e0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 000000014a4c0250 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0xffffffffd328e090} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 000000014a4c0470 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 000000014a4c0480 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 000000014a4c0300 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 000000014a4c0360 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 000000014a4c02a0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 000000014a4c02c0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 000000014a4c0340 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 000000014a4c0420 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 000000014a4c0260 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 000000014a4c0270 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 000000014a4c03d0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0xffffffffd328db90} .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 000000014a4c01f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 000000014a4c0210 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 000000014a4c0200 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 000000014a4c03f0 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 000000014a4c0400 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 000000014a4c0220 .text C:\Windows\system32\csrss.exe[560] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 000000014a4c0280 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\services.exe[596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\services.exe[596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\winlogon.exe[640] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\lsass.exe[656] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\lsm.exe[664] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\svchost.exe[784] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\svchost.exe[784] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\nvvsvc.exe[868] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe[896] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0xffffffff88e3ee90} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0xffffffff88e3e890} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0xffffffff88e3e590} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0xffffffff88e3e090} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0xffffffff88e3db90} .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\atiesrxx.exe[128] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\System32\svchost.exe[388] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\System32\svchost.exe[388] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\System32\svchost.exe[464] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\svchost.exe[396] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\svchost.exe[396] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe[1100] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000100070440 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000100070430 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000100070450 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0xffffffff88e3ee90} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000001000703b0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000100070320 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000100070380 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000001000702e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000100070410 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000001000702d0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000100070310 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000100070390 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000001000703c0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000100070230 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0xffffffff88e3e890} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000100070460 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000100070370 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000001000702f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000100070350 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000100070290 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000001000702b0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000001000703a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000100070330 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0xffffffff88e3e590} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000001000703e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000100070240 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000001000701e0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000100070250 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0xffffffff88e3e090} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000100070470 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000100070480 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000100070300 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000100070360 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000001000702a0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000001000702c0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000100070340 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000100070420 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000100070260 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000100070270 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000001000703d0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0xffffffff88e3db90} .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000001000701f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000100070210 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000100070200 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000001000703f0 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000100070400 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000100070220 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000100070280 .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\atieclxx.exe[1248] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\svchost.exe[1328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\System32\spoolsv.exe[1596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\svchost.exe[1752] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\Dwm.exe[1816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\Explorer.EXE[1840] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\Explorer.EXE[1840] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\taskhost.exe[1928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[2032] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000000773903b0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\svchost.exe[1736] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Program Files\IB Updater\ExtensionUpdaterService.exe[1904] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001003f1014 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001003f0804 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001003f0a08 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001003f0c0c .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001003f0e10 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001003f01f8 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001003f03fc .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001003f0600 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001004801f8 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001004803fc .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100480804 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100480600 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100480a08 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000491401 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000491419 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000491431 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000049144a 2 bytes [49, 00] .text ... * 9 .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000004914dd 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000004914f5 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000049150d 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000491525 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000049153d 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000491555 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000049156d 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000491585 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000049159d 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000004915b5 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000004915cd 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000004916b2 2 bytes [49, 00] .text E:\Oracle\app\oracle\product\11.2.0\server\BIN\tnslsnr.exe[2288] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000004916bd 2 bytes [49, 00] .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100161014 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100160804 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100160a08 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100160c0c .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100160e10 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001001601f8 .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001001603fc .text C:\Program Files (x86)\PDF Architect\HelperService.exe[2360] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100160600 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\PDF Architect\ConversionService.exe[2384] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001000a0600 .text C:\Windows\system32\svchost.exe[2416] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2416] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Windows\system32\svchost.exe[2416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Windows\system32\svchost.exe[2416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Windows\system32\svchost.exe[2416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Windows\system32\svchost.exe[2416] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Windows\system32\svchost.exe[2416] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Windows\system32\svchost.exe[2416] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Windows\system32\svchost.exe[2416] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077203ae0 5 bytes JMP 00000001004a075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077207a90 5 bytes JMP 00000001004a03a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077231490 5 bytes JMP 00000001004a0b14 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772314f0 5 bytes JMP 00000001004a0ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000001004a163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077231810 5 bytes JMP 00000001004a1284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2888] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077203ae0 5 bytes JMP 00000001002b075c .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077207a90 5 bytes JMP 00000001002b03a4 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077231490 5 bytes JMP 00000001002b0b14 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772314f0 5 bytes JMP 00000001002b0ecc .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000001002b163c .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077231810 5 bytes JMP 00000001002b1284 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Windows\system32\taskeng.exe[408] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Windows\System32\WUDFHost.exe[3108] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Windows\System32\WUDFHost.exe[3108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Windows\System32\WUDFHost.exe[3108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Windows\System32\WUDFHost.exe[3108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Windows\System32\WUDFHost.exe[3108] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Windows\System32\WUDFHost.exe[3108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Windows\System32\WUDFHost.exe[3108] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Windows\System32\WUDFHost.exe[3108] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077203ae0 5 bytes JMP 00000001002e075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077207a90 5 bytes JMP 00000001002e03a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077231490 5 bytes JMP 00000001002e0b14 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772314f0 5 bytes JMP 00000001002e0ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000001002e163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077231810 5 bytes JMP 00000001002e1284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[3356] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001003e1014 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001003e0a08 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001003e0c0c .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001003e0e10 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001003f01f8 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001003f03fc .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 00000001003f0804 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 00000001003f0600 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 00000001003f0a08 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077391401 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077391419 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077391431 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007739144a 2 bytes [39, 77] .text ... * 9 .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773914dd 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773914f5 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007739150d 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077391525 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007739153d 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077391555 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007739156d 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077391585 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007739159d 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773915b5 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773915cd 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773916b2 2 bytes [39, 77] .text C:\Program Files (x86)\Gadu-Gadu\gg.exe[3376] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773916bd 2 bytes [39, 77] .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077203ae0 5 bytes JMP 00000001001a075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077207a90 5 bytes JMP 00000001001a03a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077231490 5 bytes JMP 00000001001a0b14 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772314f0 5 bytes JMP 00000001001a0ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 00000001001a163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077231810 5 bytes JMP 00000001001a1284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Program Files\Windows Sidebar\sidebar.exe[3552] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001002d1014 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001002d0804 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001002d0a08 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001002d0c0c .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001002d0e10 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001002d01f8 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001002d03fc .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001002d0600 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000002e1401 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000002e1419 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000002e1431 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000002e144a 2 bytes [2E, 00] .text ... * 9 .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000002e14dd 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000002e14f5 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000002e150d 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000002e1525 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000002e153d 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000002e1555 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000002e156d 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000002e1585 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000002e159d 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000002e15b5 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000002e15cd 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000002e16b2 2 bytes [2E, 00] .text C:\Program Files (x86)\RocketDock\RocketDock.exe[3564] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000002e16bd 2 bytes [2E, 00] .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001002401f8 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001002403fc .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100240804 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100240600 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100240a08 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Nokia\Nokia Suite\NokiaSuite.exe[3640] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001001701f8 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001001703fc .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100170804 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100170600 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100170a08 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100181014 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100180804 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100180a08 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100180c0c .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100180e10 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001001801f8 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001001803fc .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100180600 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000002b1401 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000002b1419 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000002b1431 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000002b144a 2 bytes [2B, 00] .text ... * 9 .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000002b14dd 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000002b14f5 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000002b150d 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000002b1525 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000002b153d 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000002b1555 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000002b156d 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000002b1585 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000002b159d 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000002b15b5 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000002b15cd 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000002b16b2 2 bytes [2B, 00] .text C:\Program Files (x86)\Winamp\winampa.exe[3952] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000002b16bd 2 bytes [2B, 00] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3960] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001001701f8 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001001703fc .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100170804 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100170600 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100170a08 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100181014 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100180804 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100180a08 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100180c0c .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100180e10 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001001801f8 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001001803fc .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100180600 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000331401 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000331419 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000331431 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000033144a 2 bytes [33, 00] .text ... * 9 .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000003314dd 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000003314f5 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000033150d 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000331525 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000033153d 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000331555 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000033156d 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000331585 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000033159d 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000003315b5 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000003315cd 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000003316b2 2 bytes [33, 00] .text C:\Windows\SysWOW64\CtHelper.exe[4016] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000003316bd 2 bytes [33, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001003d01f8 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001003d03fc .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 00000001003d0804 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 00000001003d0600 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 00000001003d0a08 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001003e1014 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001003e0804 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001003e0a08 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001003e0c0c .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001003e0e10 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001003e01f8 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001003e03fc .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001003e0600 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000681401 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000681419 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000681431 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000068144a 2 bytes [68, 00] .text ... * 9 .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000006814dd 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000006814f5 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000068150d 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000681525 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000068153d 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000681555 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000068156d 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000681585 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000068159d 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000006815b5 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000006815cd 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000006816b2 2 bytes [68, 00] .text C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe[1112] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000006816bd 2 bytes [68, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100251014 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100250804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100250a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100250c0c .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100250e10 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001002501f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001002503fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100250600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001002601f8 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001002603fc .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100260804 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100260600 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100260a08 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000002a1401 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000002a1419 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000002a1431 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000002a144a 2 bytes [2A, 00] .text ... * 9 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000002a14dd 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000002a14f5 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000002a150d 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000002a1525 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000002a153d 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000002a1555 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000002a156d 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000002a1585 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000002a159d 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000002a15b5 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000002a15cd 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000002a16b2 2 bytes [2A, 00] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1472] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000002a16bd 2 bytes [2A, 00] .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077203ae0 5 bytes JMP 000000010037075c .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077207a90 5 bytes JMP 00000001003703a4 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077231490 5 bytes JMP 0000000100370b14 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772314f0 5 bytes JMP 0000000100370ecc .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 000000010037163c .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077231810 5 bytes JMP 0000000100371284 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Windows\system32\SearchIndexer.exe[3816] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3276] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077203ae0 5 bytes JMP 000000010037075c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077207a90 5 bytes JMP 00000001003703a4 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00000000772313c0 5 bytes JMP 0000000077390440 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 0000000077231410 5 bytes JMP 0000000077390430 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077231490 5 bytes JMP 0000000100370b14 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772314f0 5 bytes JMP 0000000100370ecc .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00000000772315c0 1 byte JMP 0000000077390450 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx + 2 00000000772315c2 3 bytes {JMP 0x15ee90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 000000010037163c .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 0000000077231680 5 bytes JMP 0000000077390320 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000772316b0 5 bytes JMP 0000000077390380 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077231710 5 bytes JMP 00000000773902e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 0000000077231760 5 bytes JMP 0000000077390410 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077231790 5 bytes JMP 00000000773902d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000772317b0 5 bytes JMP 0000000077390310 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000772317f0 5 bytes JMP 0000000077390390 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077231810 5 bytes JMP 0000000100371284 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 0000000077231840 5 bytes JMP 00000000773903c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00000000772319a0 1 byte JMP 0000000077390230 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry + 2 00000000772319a2 3 bytes {JMP 0x15e890} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 0000000077231b60 5 bytes JMP 0000000077390460 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 0000000077231b90 5 bytes JMP 0000000077390370 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 0000000077231c70 5 bytes JMP 00000000773902f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 0000000077231c80 5 bytes JMP 0000000077390350 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077231ce0 5 bytes JMP 0000000077390290 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077231d70 5 bytes JMP 00000000773902b0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 0000000077231d90 5 bytes JMP 00000000773903a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 0000000077231da0 1 byte JMP 0000000077390330 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 2 0000000077231da2 3 bytes {JMP 0x15e590} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 0000000077231e10 5 bytes JMP 00000000773903e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 0000000077231e40 5 bytes JMP 0000000077390240 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 0000000077232100 5 bytes JMP 00000000773901e0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00000000772321c0 1 byte JMP 0000000077390250 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00000000772321c2 3 bytes {JMP 0x15e090} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00000000772321f0 5 bytes JMP 0000000077390470 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 0000000077232200 5 bytes JMP 0000000077390480 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 0000000077232230 5 bytes JMP 0000000077390300 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 0000000077232240 5 bytes JMP 0000000077390360 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00000000772322a0 5 bytes JMP 00000000773902a0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00000000772322f0 5 bytes JMP 00000000773902c0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 0000000077232330 5 bytes JMP 0000000077390340 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 0000000077232620 5 bytes JMP 0000000077390420 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 0000000077232820 5 bytes JMP 0000000077390260 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 0000000077232830 5 bytes JMP 0000000077390270 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 0000000077232840 1 byte JMP 00000000773903d0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread + 2 0000000077232842 3 bytes {JMP 0x15db90} .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 0000000077232a00 5 bytes JMP 00000000773901f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 0000000077232a10 5 bytes JMP 0000000077390210 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 0000000077232a80 5 bytes JMP 0000000077390200 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 0000000077232ae0 5 bytes JMP 00000000773903f0 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 0000000077232af0 5 bytes JMP 0000000077390400 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 0000000077232b00 5 bytes JMP 0000000077390220 .text C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[1184] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 0000000077232be0 5 bytes JMP 0000000077390280 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100101014 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100100804 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100100a08 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100100c0c .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100100e10 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001001001f8 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001001003fc .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100100600 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001001101f8 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001001103fc .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100110804 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100110600 .text C:\Program Files (x86)\PC Connectivity Solution\ServiceLayer.exe[1772] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100110a08 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[2860] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[2860] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[2860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[2860] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclUSBSrv64.exe[2860] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001000a0600 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001000b01f8 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001000b03fc .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 00000001000b0804 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 00000001000b0600 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 00000001000b0a08 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077391401 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077391419 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077391431 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007739144a 2 bytes [39, 77] .text ... * 9 .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773914dd 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773914f5 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007739150d 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077391525 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007739153d 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077391555 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007739156d 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077391585 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007739159d 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773915b5 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773915cd 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773916b2 2 bytes [39, 77] .text C:\Program Files (x86)\PC Connectivity Solution\Transports\NclMSBTSrvEx.exe[5000] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773916bd 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077391401 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077391419 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077391431 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007739144a 2 bytes [39, 77] .text ... * 9 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773914dd 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773914f5 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007739150d 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077391525 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007739153d 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077391555 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007739156d 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077391585 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007739159d 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773915b5 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773915cd 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773916b2 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773916bd 2 bytes [39, 77] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001000901f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001000903fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100090804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100090600 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100090a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001000a1014 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001000a0804 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001000a0a08 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001000a0c0c .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001000a0e10 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001000a01f8 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001000a03fc .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[4080] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001000a0600 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!LdrUnloadDll 0000000077203ae0 5 bytes JMP 000000010027075c .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 0000000077207a90 5 bytes JMP 00000001002703a4 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 0000000077231490 5 bytes JMP 0000000100270b14 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtFreeVirtualMemory 00000000772314f0 5 bytes JMP 0000000100270ecc .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00000000772315d0 5 bytes JMP 000000010027163c .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 0000000077231810 5 bytes JMP 0000000100271284 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Windows\System32\svchost.exe[212] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Windows\System32\svchost.exe[212] C:\Windows\system32\USER32.dll!UnhookWinEvent 0000000076d88550 5 bytes JMP 000000010056075c .text C:\Windows\System32\svchost.exe[212] C:\Windows\system32\USER32.dll!UnhookWindowsHookEx 0000000076d8d440 5 bytes JMP 0000000100561284 .text C:\Windows\System32\svchost.exe[212] C:\Windows\system32\USER32.dll!SetWindowsHookExW 0000000076d8f874 5 bytes JMP 0000000100560ecc .text C:\Windows\System32\svchost.exe[212] C:\Windows\system32\USER32.dll!SetWinEventHook 0000000076d94d4c 5 bytes JMP 00000001005603a4 .text C:\Windows\System32\svchost.exe[212] C:\Windows\system32\USER32.dll!SetWindowsHookExA 0000000076da8c20 5 bytes JMP 0000000100560b14 .text C:\Windows\system32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!SetServiceObjectSecurity 000007fefed06e00 5 bytes JMP 000007ff7ed21dac .text C:\Windows\system32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigA 000007fefed06f2c 5 bytes JMP 000007ff7ed20ecc .text C:\Windows\system32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfigW 000007fefed07220 5 bytes JMP 000007ff7ed21284 .text C:\Windows\system32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2A 000007fefed0739c 5 bytes JMP 000007ff7ed2163c .text C:\Windows\system32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!ChangeServiceConfig2W 000007fefed07538 5 bytes JMP 000007ff7ed219f4 .text C:\Windows\system32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceA 000007fefed075e8 5 bytes JMP 000007ff7ed203a4 .text C:\Windows\system32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!CreateServiceW 000007fefed0790c 5 bytes JMP 000007ff7ed2075c .text C:\Windows\system32\svchost.exe[3460] C:\Windows\SYSTEM32\sechost.dll!DeleteService 000007fefed07ab4 5 bytes JMP 000007ff7ed20b14 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001000e1014 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001000e0804 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001000e0a08 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001000e0c0c .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001000e0e10 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001000e01f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 3 bytes JMP 00000001000e03fc .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\sechost.dll!CreateServiceW + 4 00000000757558a3 1 byte [8A] .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001000e0600 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001000f01f8 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001000f03fc .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 00000001000f0804 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 00000001000f0600 .text C:\Program Files (x86)\Microsoft\BingBar\7.1.391.0\SeaPort.exe[3924] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 00000001000f0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001001001f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001001003fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100100804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100100600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100100a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100161014 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100160804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100160a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100160c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100160e10 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001001601f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001001603fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100160600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077391401 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077391419 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077391431 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007739144a 2 bytes [39, 77] .text ... * 9 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773914dd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773914f5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007739150d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077391525 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007739153d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077391555 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007739156d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077391585 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007739159d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773915b5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773915cd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773916b2 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2552] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773916bd 2 bytes [39, 77] ? C:\Windows\system32\mssprxy.dll [2552] entry point in ".rdata" section 00000000739e71e6 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773df991 7 bytes {MOV EDX, 0xf33e28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000101010600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000101010804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773dfbd5 7 bytes {MOV EDX, 0xf33e68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773dfc05 7 bytes {MOV EDX, 0xf33da8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773dfc1d 7 bytes {MOV EDX, 0xf33d28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773dfc35 7 bytes {MOV EDX, 0xf33f28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773dfc65 7 bytes {MOV EDX, 0xf33f68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000101010c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773dfce5 7 bytes {MOV EDX, 0xf33ee8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773dfcfd 7 bytes {MOV EDX, 0xf33ea8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773dfd49 7 bytes {MOV EDX, 0xf33c68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773dfe41 7 bytes {MOV EDX, 0xf33ca8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000101010a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773e0099 7 bytes {MOV EDX, 0xf33c28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773e10a5 7 bytes {MOV EDX, 0xf33de8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773e111d 7 bytes {MOV EDX, 0xf33d68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773e1321 7 bytes {MOV EDX, 0xf33ce8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001010101f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001010103fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001010201f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001010203fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000101020804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000101020600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000101020a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000101031014 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000101030804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000101030a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000101030c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000101030e10 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001010301f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001010303fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000101030600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077391401 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077391419 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077391431 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007739144a 2 bytes [39, 77] .text ... * 9 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773914dd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773914f5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007739150d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077391525 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007739153d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077391555 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007739156d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077391585 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007739159d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773915b5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773915cd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773916b2 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4692] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773916bd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773df991 7 bytes {MOV EDX, 0x50de28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 00000001005e0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 00000001005e0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773dfbd5 7 bytes {MOV EDX, 0x50de68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773dfc05 7 bytes {MOV EDX, 0x50dda8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773dfc1d 7 bytes {MOV EDX, 0x50dd28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773dfc35 7 bytes {MOV EDX, 0x50df28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773dfc65 7 bytes {MOV EDX, 0x50df68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 00000001005e0c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773dfce5 7 bytes {MOV EDX, 0x50dee8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773dfcfd 7 bytes {MOV EDX, 0x50dea8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773dfd49 7 bytes {MOV EDX, 0x50dc68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773dfe41 7 bytes {MOV EDX, 0x50dca8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 00000001005e0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773e0099 7 bytes {MOV EDX, 0x50dc28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773e10a5 7 bytes {MOV EDX, 0x50dde8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773e111d 7 bytes {MOV EDX, 0x50dd68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773e1321 7 bytes {MOV EDX, 0x50dce8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001005e01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001005e03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001007601f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001007603fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100760804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100760600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100760a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100771014 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100770804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100770a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100770c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100770e10 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001007701f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001007703fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100770600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000a51401 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000a51419 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000a51431 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000000a5144a 2 bytes [A5, 00] .text ... * 9 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000000a514dd 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000000a514f5 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000000a5150d 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000a51525 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000000a5153d 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000a51555 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000000a5156d 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000a51585 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000000a5159d 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000000a515b5 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000000a515cd 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000000a516b2 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4304] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000000a516bd 2 bytes [A5, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773df991 7 bytes {MOV EDX, 0x30d228; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100360600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100360804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773dfbd5 7 bytes {MOV EDX, 0x30d268; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773dfc05 7 bytes {MOV EDX, 0x30d1a8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773dfc1d 7 bytes {MOV EDX, 0x30d128; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773dfc35 7 bytes {MOV EDX, 0x30d328; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773dfc65 7 bytes {MOV EDX, 0x30d368; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100360c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773dfce5 7 bytes {MOV EDX, 0x30d2e8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773dfcfd 7 bytes {MOV EDX, 0x30d2a8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773dfd49 7 bytes {MOV EDX, 0x30d068; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773dfe41 7 bytes {MOV EDX, 0x30d0a8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100360a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773e0099 7 bytes {MOV EDX, 0x30d028; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773e10a5 7 bytes {MOV EDX, 0x30d1e8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773e111d 7 bytes {MOV EDX, 0x30d168; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773e1321 7 bytes {MOV EDX, 0x30d0e8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001003601f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001003603fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001003701f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001003703fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100370804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100370600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100370a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100381014 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100380804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100380a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100380c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100380e10 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001003801f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001003803fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100380600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000671401 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000671419 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000671431 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000067144a 2 bytes [67, 00] .text ... * 9 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000006714dd 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000006714f5 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000067150d 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000671525 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000067153d 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000671555 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000067156d 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000671585 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000067159d 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000006715b5 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000006715cd 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000006716b2 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4236] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000006716bd 2 bytes [67, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773df991 7 bytes {MOV EDX, 0xb4e28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 00000001001d0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 00000001001d0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773dfbd5 7 bytes {MOV EDX, 0xb4e68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773dfc05 7 bytes {MOV EDX, 0xb4da8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773dfc1d 7 bytes {MOV EDX, 0xb4d28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773dfc35 7 bytes {MOV EDX, 0xb4f28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773dfc65 7 bytes {MOV EDX, 0xb4f68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 00000001001d0c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773dfce5 7 bytes {MOV EDX, 0xb4ee8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773dfcfd 7 bytes {MOV EDX, 0xb4ea8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773dfd49 7 bytes {MOV EDX, 0xb4c68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773dfe41 7 bytes {MOV EDX, 0xb4ca8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 00000001001d0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773e0099 7 bytes {MOV EDX, 0xb4c28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773e10a5 7 bytes {MOV EDX, 0xb4de8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773e111d 7 bytes {MOV EDX, 0xb4d68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773e1321 7 bytes {MOV EDX, 0xb4ce8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001001d01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001001d03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001001e01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001001e03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 00000001001e0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 00000001001e0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 00000001001e0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001001f1014 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001001f0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001001f0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001001f0c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001001f0e10 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001001f01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001001f03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001001f0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077391401 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077391419 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077391431 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007739144a 2 bytes [39, 77] .text ... * 9 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773914dd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773914f5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007739150d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077391525 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007739153d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077391555 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007739156d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077391585 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007739159d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773915b5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773915cd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773916b2 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773916bd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773df991 7 bytes {MOV EDX, 0x6b3628; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100890600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100890804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773dfbd5 7 bytes {MOV EDX, 0x6b3668; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773dfc05 7 bytes {MOV EDX, 0x6b35a8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773dfc1d 7 bytes {MOV EDX, 0x6b3528; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773dfc35 7 bytes {MOV EDX, 0x6b3728; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773dfc65 7 bytes {MOV EDX, 0x6b3768; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100890c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773dfce5 7 bytes {MOV EDX, 0x6b36e8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773dfcfd 7 bytes {MOV EDX, 0x6b36a8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773dfd49 7 bytes {MOV EDX, 0x6b3468; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773dfe41 7 bytes {MOV EDX, 0x6b34a8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100890a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773e0099 7 bytes {MOV EDX, 0x6b3428; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773e10a5 7 bytes {MOV EDX, 0x6b35e8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773e111d 7 bytes {MOV EDX, 0x6b3568; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773e1321 7 bytes {MOV EDX, 0x6b34e8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001008901f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001008903fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001008a01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001008a03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 00000001008a0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 00000001008a0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 00000001008a0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001008b1014 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001008b0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001008b0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001008b0c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001008b0e10 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001008b01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001008b03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001008b0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000a71401 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000a71419 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000a71431 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000000a7144a 2 bytes [A7, 00] .text ... * 9 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000000a714dd 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000000a714f5 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000000a7150d 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000a71525 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000000a7153d 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000a71555 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000000a7156d 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000a71585 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000000a7159d 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000000a715b5 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000000a715cd 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000000a716b2 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2508] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000000a716bd 2 bytes [A7, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773df991 7 bytes {MOV EDX, 0x1dee28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 00000001003d0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 00000001003d0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773dfbd5 7 bytes {MOV EDX, 0x1dee68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773dfc05 7 bytes {MOV EDX, 0x1deda8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773dfc1d 7 bytes {MOV EDX, 0x1ded28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773dfc35 7 bytes {MOV EDX, 0x1def28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773dfc65 7 bytes {MOV EDX, 0x1def68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 00000001003d0c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773dfce5 7 bytes {MOV EDX, 0x1deee8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773dfcfd 7 bytes {MOV EDX, 0x1deea8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773dfd49 7 bytes {MOV EDX, 0x1dec68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773dfe41 7 bytes {MOV EDX, 0x1deca8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 00000001003d0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773e0099 7 bytes {MOV EDX, 0x1dec28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773e10a5 7 bytes {MOV EDX, 0x1dede8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773e111d 7 bytes {MOV EDX, 0x1ded68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773e1321 7 bytes {MOV EDX, 0x1dece8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001003d01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001003d03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001003e01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001003e03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 00000001003e0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 00000001003e0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 00000001003e0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001003f1014 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001003f0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001003f0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001003f0c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001003f0e10 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001003f01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001003f03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001003f0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077391401 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077391419 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077391431 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007739144a 2 bytes [39, 77] .text ... * 9 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773914dd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773914f5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007739150d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077391525 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007739153d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077391555 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007739156d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077391585 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007739159d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773915b5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773915cd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773916b2 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[2640] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773916bd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773df991 7 bytes {MOV EDX, 0xf8e28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 00000001002c0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 00000001002c0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773dfbd5 7 bytes {MOV EDX, 0xf8e68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773dfc05 2 bytes [BA, A8] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 8 00000000773dfc08 4 bytes [0F, 00, FF, E2] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773dfc1d 2 bytes [BA, 28] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 8 00000000773dfc20 4 bytes [0F, 00, FF, E2] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773dfc35 7 bytes {MOV EDX, 0xf8f28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773dfc65 7 bytes {MOV EDX, 0xf8f68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 00000001002c0c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773dfce5 7 bytes {MOV EDX, 0xf8ee8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773dfcfd 7 bytes {MOV EDX, 0xf8ea8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773dfd49 7 bytes {MOV EDX, 0xf8c68; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773dfe41 7 bytes {MOV EDX, 0xf8ca8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 00000001002c0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773e0099 7 bytes {MOV EDX, 0xf8c28; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773e10a5 2 bytes [BA, E8] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 8 00000000773e10a8 4 bytes {CALL 0xffffffffff000f92} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773e111d 2 bytes [BA, 68] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 8 00000000773e1120 4 bytes [0F, 00, FF, E2] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773e1321 7 bytes {MOV EDX, 0xf8ce8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001002c01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001002c03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001002d01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001002d03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 00000001002d0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 00000001002d0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 00000001002d0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 00000001002e1014 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 00000001002e0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 00000001002e0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 00000001002e0c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 00000001002e0e10 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001002e01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001002e03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 00000001002e0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000000361401 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000000361419 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000000361431 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000000036144a 2 bytes [36, 00] .text ... * 9 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000003614dd 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000003614f5 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000000036150d 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000000361525 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000000036153d 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000000361555 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000000036156d 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000000361585 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000000036159d 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000003615b5 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000003615cd 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000003616b2 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[3744] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000003616bd 2 bytes [36, 00] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000773df991 7 bytes {MOV EDX, 0x927628; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 00000001009f0600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 00000001009f0804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000773dfbd5 7 bytes {MOV EDX, 0x927668; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000773dfc05 7 bytes {MOV EDX, 0x9275a8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000773dfc1d 7 bytes {MOV EDX, 0x927528; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000773dfc35 7 bytes {MOV EDX, 0x927728; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000773dfc65 7 bytes {MOV EDX, 0x927768; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 00000001009f0c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000773dfce5 7 bytes {MOV EDX, 0x9276e8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000773dfcfd 7 bytes {MOV EDX, 0x9276a8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000773dfd49 7 bytes {MOV EDX, 0x927468; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000773dfe41 7 bytes {MOV EDX, 0x9274a8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 00000001009f0a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000773e0099 7 bytes {MOV EDX, 0x927428; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773e10a5 7 bytes {MOV EDX, 0x9275e8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000773e111d 7 bytes {MOV EDX, 0x927568; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000773e1321 7 bytes {MOV EDX, 0x9274e8; JMP RDX} .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001009f01f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001009f03fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 0000000100a001f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 0000000100a003fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100a00804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100a00600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100a00a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100a11014 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100a10804 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100a10a08 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100a10c0c .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100a10e10 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 0000000100a101f8 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 0000000100a103fc .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100a10600 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077391401 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077391419 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077391431 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007739144a 2 bytes [39, 77] .text ... * 9 .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000773914dd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000773914f5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007739150d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077391525 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007739153d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077391555 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007739156d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077391585 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007739159d 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000773915b5 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000773915cd 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000773916b2 2 bytes [39, 77] .text C:\Users\Venon\AppData\Local\Google\Chrome\Application\chrome.exe[1852] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000773916bd 2 bytes [39, 77] .text C:\Windows\system32\AUDIODG.EXE[4404] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 0000000076b5eecd 1 byte [62] .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtAllocateVirtualMemory 00000000773dfaa0 5 bytes JMP 0000000100030600 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtFreeVirtualMemory 00000000773dfb38 5 bytes JMP 0000000100030804 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtTerminateProcess 00000000773dfc90 5 bytes JMP 0000000100030c0c .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 00000000773e0018 5 bytes JMP 0000000100030a08 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000773fc45a 5 bytes JMP 00000001000301f8 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077401217 5 bytes JMP 00000001000303fc .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 00000000762ea30a 1 byte [62] .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\sechost.dll!SetServiceObjectSecurity 0000000075755181 5 bytes JMP 0000000100241014 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigA 0000000075755254 5 bytes JMP 0000000100240804 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfigW 00000000757553d5 5 bytes JMP 0000000100240a08 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2A 00000000757554c2 5 bytes JMP 0000000100240c0c .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\sechost.dll!ChangeServiceConfig2W 00000000757555e2 5 bytes JMP 0000000100240e10 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\sechost.dll!CreateServiceA 000000007575567c 5 bytes JMP 00000001002401f8 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\sechost.dll!CreateServiceW 000000007575589f 5 bytes JMP 00000001002403fc .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\SysWOW64\sechost.dll!DeleteService 0000000075755a22 5 bytes JMP 0000000100240600 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\syswow64\USER32.dll!SetWinEventHook 0000000075f3ee09 5 bytes JMP 00000001002501f8 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\syswow64\USER32.dll!UnhookWinEvent 0000000075f43982 5 bytes JMP 00000001002503fc .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000075f47603 5 bytes JMP 0000000100250804 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\syswow64\USER32.dll!SetWindowsHookExA 0000000075f4835c 5 bytes JMP 0000000100250600 .text C:\Users\Venon\Desktop\hnlmz15i.exe[968] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000075f5f52b 5 bytes JMP 0000000100250a08 ---- Threads - GMER 2.0 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3276:4572] 000007fefed30168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3276:4656] 000007fefbbc2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3276:5052] 000007fef9195124 ---- EOF - GMER 2.0 ----